June  2103  www.csoonline.com  $9.00  BUSINESS  RISK  LEADERSHIP 


TECH:  How  Hackers  Gain  Admin 
Access  to  Critical  Infrastructure  6 

RISK:  What  Not  to  Do  When  You’re 
Trying  to  Find  Vulnerabilities  14 

LEAD:  Outstanding  Women  in  Infosec  20 


aviGnon 


Introducing  the  barely-noticeable  Avigilon  HD  Micro  Dome  camera 

The  powerful  new  HD  Micro  Dome  camera  (available  in  1  MP 
and  2  MP  resolutions)  delivers  superior  image  detail  in  our  most 
discreet  size.  And  combined  with  Avigilon  Control  Center,  the 
HD  Micro  Dome  camera  provides  the  easiest  transition  from 
analog  to  HD.  Learn  more  at  avigilon.com/microdome 


aviGiLon 

THE  BEST  EVIDENCE 


'actual  size. 


•** 

f  4 

m  sn 

mhWS 

* 

June  2013  Volume  12,  Number  5 


DDoSin 
the  Dark 

26  The  secrecy 
around  distributed 
denial-of-service 
attacks  is  a  problem 
when  you’re  des¬ 
perate  for  guidance. 
But  the  answers  are 
there,  if  you  know 
where  to  look. 

BY  GEORGE  V.  HULME 


tech 

6  How  Hackers  Gain  Admin  Access 
to  Critical  Infrastructure 

8  LivingSocial  Breach  May  Have 
Wide-Ranging  Effects 

9  Jailbroken  Google  Glass  Is  No 
More  Risky  Than  Smartphones 

10  It’s  Time  to  Wash  Away  the  Stench  of  CISPA 

10  Google  Play  Changes  Bring  Cautious 
Optimism  on  Android  Security 

11  Anonymous’s  Attack  on  Israel  Fizzles— 

Will  Its  U.S.  Attack  Fail  Too? 

12  DDoS  Attacks  Turn  Outdated  Network 
Protocols  Against  Their  Hosts 

13  Phishing  Gang  Jailed  for  Stealing 
Woman’s  $1.6  Million  Life  Savings 

13  McAfee  Buys  Firewall  Maker  Stonesoft 


risk 

14  What  Not  to  Do  When  You’re 
Trying  to  Find  Vulnerabilities 


■  Also  Inside 

2  Editor’s  Letter 

4  Publisher’s  Letter 

32  Last:  Ten  Tweets:  Brian  Honan 


18  Find  Your  Risk  Tolerance  in  3  Simple  Steps 

lead 

20  Outstanding  Women  in  Infosec 

24  6  Tips  for  Keeping  Your  Pen-Testing 
Tactics  on  the  Right  Side  of  the  Law 


JUNE  2103  www.csoonline.com  1 


Breaking  the  Silence  on  DDoS 

As  a  writer  and  editor  covering  security,  I  speak  daily  to  peo¬ 
ple  in  the  trenches-the  folks  who  assess  threats  and  manage  the 
risks  facing  their  organizations.  Many  are  happy  to  talk  at  length 
about  their  plans  for  defense.  But  when  I  ask,  “What  happened  to 
get  you  here?”  my  question  is  frequently  met  with  silence.  Then, 
“I’d  rather  not  get  into  specifics.” 

It’s  understandable.  A  security  manager’s 
desire  to  keep  secret  their  history  of  vulner¬ 
ability  is,  in  many  ways,  smart.  But  at  the  same 
time,  this  policy  of  silence  means  that  security 
leaders  who  need  information  from  those  with 
real-world  experience  are  left  empty-handed 
and  wondering  how  to  start  building  an  effec¬ 
tive  defense  strategy. 

This  month’s  cover  story  examines  the  ramp- 
up  of  distributed  denial-of-service  (DDoS)  at¬ 
tacks  against  banks,  and  also  delves  into  the 
reasons  that  security  executives  who  have  been 
unfortunate  enough  to  fall  victim  have  little 
desire  to  discuss  what  occurred.  As  DDoS  at¬ 
tacks  become  more  brutal,  and  more  frequent, 
the  instinct  to  keep  quiet  about  them  has  also 
increased. 

But  we  offer  some  help.  CSO  contributor 
George  V.  Hulme  has  tracked  down  a  list  of 
useful  tips  and  best  practices  for  organizations 
seeking  help  defending  against  DDoS  attacks. 

The  information,  culled  from  background  dis¬ 
cussions  and  interviews  with  security  folks  who 
have  been  involved  in  helping  organizations 
defend  themselves  from  DDoS  attacks,  will 
give  you  a  sense  of  which  integral  parts  of  your 
defense  program  you  need  to  evaluate-now- 


so  you  can  be  ready  for  these  ever-evolving, 
sophisticated  assaults  against  your  corporate 
assets  and  operations. 

-Joan  Goodchild,  Executive  Editor 
igoodchild@cxo.com 

Correction:  CSO' s  April  issue  highlighting  our 
CS040  winners  left  out  two  important  names 
from  double-award  winner  ADP.  For  the  project 
“Improve  Analytics,  Reduce  Client  Waiting  Time,” 
team  leader  Denise  Hucke  was  not  mentioned. 
For  the  project  “Client  security  management 
office  portal,”  team  leader  Phani  Dasari's  name 
was  left  out.  CSO  regrets  the  errors. 


CSO  (ISSN  1540-904X)  Is  published  monthly  except  for  a  combined  issue  in  July/August  and  December/January  by  CXO  Media  Inc.,  492  Old  Connecticut  Path.  P.0.  Box 
9200.  Framingham,  MA  01701-9200.  Periodical  Postage  Rate  at  Framingham.  MA  01701.  and  at  additional  mailing  offices.  Canadian  Publications  Mail  agreement  number 
1902075.  Canadian  Postmaster:  Please  return  undeliverable  copy  to  P.0.  Box  1632.  Windsor.  ON  N9A  7C9.  Copyright  2011  by  CXO  Media  Inc.  All  rights  reserved.  Reproduction 
of  material  appearing  in  CSO  is  forbidden  without  written  permission.  Permission  to  photocopy  for  internal  or  personal  use  or  the  Internal  or  personal  use  of  specific 
clients  is  granted  by  CSO  for  users  through  the  Copyright  Clearance  Center,  provided  that  a  fee  of  $3.50  per  copy  of  the  article  is  paid  directly  to  Copyright  Clearance 
Center,  222  Rosewood  Drive.  Danvers.  MA  01970.  www.copyright.com.  Please  specify:  ISSN  I540-904X.  Permission  to  photocopy  does  not  extend  to  contributed  articles— 
followed  by  this  symbol:  {.  Address  inquiries  to  CSO.  P.O.  Box  3402.  Northbrook,  IL  60065: 066  354-1125.  CSO  is  free  to  qualified  security  executives.  To  all  others  the 
one-year  basic  late  is  $70  for  the  United  States  and  Canada.  $95  to  foreign  countries  (payable  in  U.S.  funds  only).  The  single  copy  price  is  $9  to  the  U.S.  and  Canada  and 
S15  International.  Please  allow  four  to  six  weeks  for  new  subscriptions  to  begin.  Change  of  Address:  Go  to  www.omeda.com/custsrv/cso  and  follow  the  online  instructions. 
Postmaster:  Send  change  of  address  to:  CSO.  P.O.  Box  3402,  Northbrook,  IL  60065.  Printed  in  the  USA. 


2  www.csoonline.com  June  2103 


Managing  Editor 

Bill  Brenner 
bbrenner@cxo.com 
508988-7587 
Twitter:  @billbrenner70 

Executive  Editor 

Joan  Goodchild 
jgoodchild@ao.com 
508  988-7994 
Twitter:  @msjoanieg 

Senior  Editor,  Copy  and  Production 

Colleen  Barry 

Executive  Director,  Art  and  Design 

Mary  Lester 

Art  Director 

Steve  Traynor 

Editorial  Administrator 

Pat  Josefek 

Research  Manager 

Carolyn  Johnson 

Contributors 

Taylor  Armerding,  Mary  Brandel, 
John  E.  Dunn,  Elisabeth  Horwitt 
George  V.  Hulme,  Gregg  Keizer. 
Jeremy  Kirk,  Richard  Power. 
Jaikumar  Vijayan,  Bob  Violino 

Editorial/Advertising/ 
Business  Offices 

492  Old  Connecticut  Path, 

P.O.  Box  9208 

Framingham,  MA  01701-9208 
Main  phone  number:  508  872-0080 

Subscriber  Services 

Phone:  866  354-1125 
Fax:  847  564-9453 
cso@omeda.com 


IDG  Enterprise 

An  IDG  Communications  Company  * 

International  Data  Group 
Chairman  of  the  Board 

Patrick  J.  McGovern 

IDG  Communications,  Inc. 

CEO 

Bob  Carrigan 

Chief  Content  Officer 

John  Gallant 

&BPA 

WORLDWIDE" 


WHO  S  GOT  THEIR 

HANDS  ON  YOUR  DATA? 

-  \  • 

WANT  TO  SEE  HOW  YOUR  DEFENSES  ARE  BYPASSED? 


TRADITIONAL 
SECURITY  NO 
LONGER  SECURES 


There’s  a  town  in 
Romania  known  as 
Hackerville.  It’s  where 
criminals  turn  data  into 
expensive  sports  cars. 
This  isn’t  just  credit  card 
fraud,  this  is  monetizing 
intellectual  property 
swiped  from  companies 
who  thought  they  were 
protected. 

We  know  where  the 
bad  guys  lurk.  Not  just 
in  Hackerville,  but  also 
in  your  network’s  blind 
spots.  Put  us  to  the  test. 


TRITON  STOPS  MORE  THREATS.  WE  CAN  PROVE  IT. 


www.websense.com/proveit 


TRITON 


2013  Websense,  Inc.  All  rights  reserved.  Websense  and  the  Websense  logo  are  registered  trademarks  of  Websense,  Inc 
in  the  United  States  and  various  countries.  All  other  trademarks  are  the  property  of  their  respective  owner. 


A  Sorry  State  of  Affairs 

The  summer  months  at  CSO  are  what  I  like  to  call 
“research  season.”  Every  May,  we  start  digging  though  the  mounds 
of  data  we’ve  collected  from  you,  our  loyal  readers,  in  an  attempt 
to  understand  your  world. 


I  don’t  like  to  be  the  person  who  finds  a  dark 
cloud  around  every  silver  lining,  but  how  do  I 
put  it?  Things  really  aren’t  very  pretty. 

Recently  I’ve  been  spending  my  “free  time” 
(sarcasm  intended)  examining  the  state  of 
cybercrime  in  the  U.S.  Through  various  stud¬ 
ies  over  the  past  decade  we  have  seen,  frankly, 
not  a  lot  of  improvement.  Losses  are  still  high, 
and  while  impacts  vary  from  year  to  year,  they 
are  always  bad.  We’ve  seen  attacks  become 
increasingly  sophisticated  and  complex,  which 
means  businesses  must  try  novel  approaches  to 
defend  against  them. 

But  with  the  exception  of  a  few  of  the 
largest  and  most  well-positioned  businesses, 
most  companies  haven’t  changed  their  de¬ 
fenses  much  at  all.  For  example,  would  you 
be  surprised  to  learn  that  most  IT  and  security 
professionals  think  the  best  defense  against 
advanced  persistent  threats  (APTs)  is  up-to- 
date  anti-malware?  It  surprised  me. 

But  more  alarming,  I  think,  is  how  little  in¬ 
sight  most  organizations  have  into  what  is  hap¬ 
pening  on  their  networks.  Five  or  six  years  ago, 
when  our  Global  State  of  Information  Security 
Survey  (conducted  with  our  sister  brand  CIO  and 
our  partners  at  PricewaterhouseCoopers)  asked 
about  sources  of  attacks  or  their  impact  on  the 
organization,  we  would  regularly  see  more  than 
40  percent  of  respondents  saying  they  didn’t 
know  the  answer.  That  number  has  dropped 
considerably  over  the  years.  But  now  I’m  seeing 
similarly  high  numbers  when  we  ask  about  cy¬ 
bercrime,  its  impact  and  the  responses  to  it.  It’s 
an  alarming  trend. 


Every  time  I  dig  into  the  data  I  feel  as  if  I’m 
in  a  Socratic  examination:  each  question  invites 
another  question.  If  intellectual  property  is  our 
most  valuable  asset,  why  don’t  we  do  more  to 
protect  it?  Why  do  we  hold  on  to  security  tech¬ 
nology  that  eats  budget  but  delivers  marginal 
results?  When  we  do  implement  new  technolo¬ 
gies,  why  do  we  consistently  give  them  too  few 
resources  so  we  end  up  with  minimal  benefit? 
Even  more  important,  is  the  term  "APT”  becom¬ 
ing  commoditized,  and  if  so,  are  we  becoming 
numb  to  the  real  advanced  threats?  So  many 
questions. 

Over  the  next  few  months,  we’ll  be  releasing 
much  of  the  data  that  I  refer  to  here,  so  keep 
your  eyes  open  and  your  mind  ready  for  debate. 
This  research  witl  offer  insights  that  can  help 
you  improve  your  security. 

-Bob  Bragdon,  publisher 
bbragdon@cxo.com 


Advertiser  Index 

ASIS  International . 7 

Avigilon . C2 

CSO . 17,19,21 


Executive  Women's  Forum . 15 

Oracle  Corp . 5 

Quantum  Secure  Inc . C4 


Security  Smart  Newsletter . C3 

Websense  Inc . 3 


Executive  Committee 
President  &  CEO  Michael  Friedenberg 
Executive  Assistant  to  the 
President  &  CEO  Pamela  Carlson 
SVP  of  Human  Resources 
Patricia  Chisholm 
SVP  of  Events  Ellen  Daly 
SVP  &  Chief  Content 
Officer  John  Gallant 
SVP  of  Digital  Brian  Glynn 
SVP  of  Strategic  Programs  & 
Custom  Solutions  Group  Charles  Lee 
SVP,  Group  Publisher  &CMO  BobMelk 
SVP  &General  Manager, 

Online  Operations  Gregg  Pinsky 
SVP  of  DEMO  Neil  Silverman 
SVP  &  COO  Matthew  Smith 
SVP  &  General  Manager, 

CIO  Executive  Council  Pam  Stenson 
SVP  of  Digital,  & 

Publisher  SeanWeglage 

Sales 

Publisher  Bob  Bragdon 
East  Coast  Regional  Director, 
Integrated  Sales  Roz  Burke 
Sales  Director  -  West  Mary  Hazelton 
Sales  Assistant  Kelsey  Scheidemantel 

Integrated  Media  and  Online  Sales 
East  Coast  Online  Regional  Sales 
Manager  Richard  Hartman 
West  Coast  Online  Regional 
Sales  Manager  Erika  Karr 
Central  Online  Regional  Sales 
Manager  Stacy  Bryne 
Director  of  Ad  Operations  & 
Project  Management  Bill  Rigby 
Director,  Online  Account 
Services  Danielle  Tetreault 

Production 

VP  Production  Services  Chris  Cuoco 
Production  Manager  Heidi  Broadley 

Marketing 

Vice  President,  Marketing  Sue  Yanovitch 
Marketing  &  PR  Manager  LynnHolmlund 

List  Services 

Contact  Steve  Tozeski  of  IDG  List  Services 
at  508  820-8106  or  stozeski@idglist.com 

Reprints  &  Permisions 

For  information  about  reprints  and 
copyright  permissions,  please  contact 
The  YGS  Group,  800-290-5460,  ext.  100. 
cso@theygsgroup.com 


4  www.csoonline.com  June  2103 


Webb  Chappell 


EXECUTIV 

£  ADVERTORIAL 

VI 

EV 

VI 

D 

0 

1 

N 

11 

r 

Mary  Ann  Davidson 

CHIEF  SECURITY  OFFICER 
ORACLE  CORPORATION 

Mary  Ann  Davidson  is 
the  Chief  Security  Officer 
at  Oracle  Corporation, 
responsible  for  Oracle 
Software  Security  Assurance. 
She  represents  Oracle  on 
the  Board  of  Directors  of 
the  Information  Technology 
Information  Sharing  and 
Analysis  Center  (IT-ISAC),  and 
serves  on  the  international 
board  of  the  information 
Systems  Security  Association 
(ISSA).  She  has  been  named 
one  of  Information  Security's 
top  five  "Women  of  Vision," 
is  a  Federal  100  award 
recipient  from  Federal 
Computer  Week,  and  was 
recently  named  to  the  ISSA 
Hall  of  Fame. 


FOR  MORE  INFORMATION: 

Please  visit 

www.oracle.com/security 


ORACLE 

CSO 

Custom  Solutions  Group 


Security  from  the  Inside  Out 

Rethink  the  level  of  protection  you  provide  to  your  databases 
as  well  as  user  access  to  systems  and  applications. 


According  to  a  survey  by  IDG  Research 
Services,  52  percent  of  the  respondents 
believe  that  a  database  breach  would 
have  the  most  severe  impact  on  the 
organization.  Despite  this,  only  a  small 
fraction  of  IT  resources  are  devoted  to 
protecting  the  database.  Are  organizations 
putting  the  right  security  attention  on 
databases? 

Most  organizations  presume  that 
databases  are  safe  because  they  physically 
run  on  machines  inside  the  perimeter. 

So  the  natural  inclination  is  that  if  we 
protect  the  perimeter,  we’ve  secured 
our  databases.  But  this  assumption  is 
no  longer  true.  The  world  has  changed 
drastically.  Our  databases  are  now 
connected  directly  to  Web  applications 
and  can  be  compromised  via  SQL 
injection  attacks  initiated  from  the 
browser.  This  means  we  have  to  rethink 
the  level  of  protection  we  provide  to  our 
databases  and  applications.  Security  has 
to  start  inside.  While  all  of  the  threats 
are  outside,  the  risks  are  inside.  Our 
databases  contain  two-thirds  of  our  most 
sensitive  information. 

Oracle  speaks  about  the  necessity 
of  protecting  corporate  information 
from  the  inside  out.  What  does  that 
mean  exactly? 

What  we  mean  is  that  organizations’ 
most  valuable  assets  are  inside.  Your 
customer  data,  your  intellectual 
property  and  your  corporate 
financial  data  are  all  stored  inside 
your  organization.  These  are  your 
high-priority  assets.  Security  starts 
with  protecting  this  information  and 
controlling  access  to  the  applications 
that  touch  this  information.  To  protect 
these  assets,  you  need  strong  access 
governance  to  make  sure  only  the  right 
users  can  see  this  information,  and  you 
need  strong  database  security  to  make 
sure  malicious  attackers  can’t  get  at  it. 


How  can  an  inside-out  approach  help 
CSOs  and  ClSOs  correlate  security 
spending  to  concrete  risk  reduction? 

Taking  an  inside-out  approach  provides 
a  way  to  prioritize  which  assets  are  most 
valuable.  To  draw  an  analogy,  I  would 
compare  the  internal  systems,  servers, 
applications,  databases  and  storage  to 
a  bank  vault  with  jewels.  Our  data  is  the 
equivalent  of  the  jewels.  The  combination 
to  the  vault  is  the  equivalent  of  privileged 
user  access.  Like  a  bank,  we  want  to  make 
sure  that  the  least  number  of  people  can 
actually  enter  the  vault. 

Securing  from  the  inside  out  means 
moving  the  controls  closer  to  the 
systems  they  protect  and  securing 
access  to  systems  across  the  stack  with 
good  governance.  Banks  employ  tightly 
managed  user  access  control  and 
administration  over  data  and  applications 
that  transact  and  store  financial 
information.  The  CSO  has  to  think  about 
corporate  information  in  the  same  way. 

How  does  Oracle's  approach  to 
enterprise  security  help  defend 
against  today's  new  breed  of 
cyber  attacks? 

It’s  important  to  realize  that  cyber 
criminals  and  attackers  are  after  the 
information  and  applications  inside 
the  organization’s  boundaries.  So  we 
have  to  start  inside  out.  If  we  had  strong 
password  controls  against  applications 
and  databases  in  place,  the  majority  of 
the  attacks  would  have  to  adapt  or  fail. 
Most  of  the  attacks  are  propagated  by 
taking  advantage  of  misconfiguration 
and  systems  that  aren’t  patched  correctly. 
Automating  the  patching  to  your 
databases  and  systems  across  your  stack 
from  applications  to  disk  forces  your 
attackers  to  try  much  harder.  Good 
security  on  databases  and  identity  and 
access  management  can  significantly 
reduce  risk  exposure.  ■ 


Many  industrial  control  systems  are  rendered  vulnerable  by  unsecured  ports  by  antone  gonsalves 


SECURITY  WEAKNESSES  UNCOVERED 
in  terminal  servers  that  provide  Internet  con¬ 
nections  to  a  wide  variety  of  business  and  in¬ 
dustrial  equipment  exemplify  the  risk  inherent 
in  adapting  older  systems  to  modern  technol¬ 
ogy,  experts  say. 

A  recent  study  by  the  security  firm  Rapid7 


6  www.csoonline.com  JUNE  2103 


found  more  than  114,000  terminal  servers, 
mostly  from  Digi  International  or  Lantronix, 
that  are  configured  to  let  anyone  gain  access 
to  the  underlying  systems.  A  terminal  server, 
also  called  a  network-access  server,  makes 
any  equipment  with  a  serial  port  accessible 
through  the  Internet. 


The  systems  found  vulnerable  to  tamper¬ 
ing  included  industrial  control  equipment, 
traffic  signal  monitors,  fuel  pumps,  retail 
point-of-sale  terminals  and  building  automa¬ 
tion  equipment.  A  hacker  scanning  the  Inter¬ 
net  for  the  serial  ports  on  these  devices  could 
easily  use  a  command  line  program  to  gain 


How  Hackers  Gain  Admin 
Access  to  Critical  Infrastructure 


Jim  Urquhart/Reuters 


Forward-thinking  executives,  private  sector  and  government  professionals, 
and  new-to-the-industry  practitioners  looking  for  more  security  knowledge 
need  only  to  attend  ASIS  2013,  the  world’s  most  influential  security  event. 
From  visionary  and  motivational  speakers  to  more  than  200  educational 
sessions  to  certification  programs  and  more — the  intelligence,  ideas,  and 
insight  you’re  searching  for  can  all  be  found  in  one  place,  at  one  time. 


ASIS  2013  is  a  smart  experience  for  you  and  your  career.  Around  the  clock 
learning  opportunities  start  with  all-day  demonstrations  in  the  Exhibit  Hall 


and  continue  into  the  evening  with  networking  events.  When  you’re  ready 


to  take  security  to  the  next  level,  visit  the  event  that’s  already  there 


FRIDAY  LUNCHEON  SPEAKER 

MIKE  DUKA 


WEDNESDAY  KEYNOTE 

STEVE  WOZNIAK 


THURSDAY  KEYNOTE 

JOHN  HOWARD 


Admission 
to  the  Exhibits 
is  FREE  when 
you  register  in 
advance! 


ASIS  INTERNATIONAL 

59TH  ANNUAL 

SEMINAR  AND  EXHIBITS 


McCORMICK  PLACE,  CHICAGO,  IL 


■  Tech 


administrative  privileges  and  control  the  equipment. 

The  problem  largely  stems  from  companies  failing 
to  set  up  strong  authentication  measures.  Rather  than 
requiring  a  strong  password,  the  equipment  is  left  using 
the  manufacturer’s  default  password-or  no  authentica¬ 
tion  at  all. 

While  just  setting  up  proper  authentication  would  fix 
the  problem  in  most  cases,  the  reasons  that  companies 
fail  to  do  so  are  complicated. 

For  example,  terminal  servers  are  often  added  to  HVAC 
equipment  and  building  security  systems  by  a  third  party 
or  by  people  within  the  organization  who  aren’t  IT  security 
pros.  As  a  result,  the  IT  security  staff  may  not  even  know 
the  servers  exist,  says  Matthew  Neely,  director  of  research 
at  risk  management  company  SecureState. 

In  general,  adding  security  to  control  systems  is  difficult 
and  may  add  a  layer  of  complexity  that  the  underlying  sys¬ 
tems  were  not  built  to  handle. 

“There  is  often  a  tendency  not  to  deploy  [security]  be¬ 
cause  it  impacts  functionality,”  says  Joe  Weiss,  a  security 
consultant  for  Applied  Control  Solutions. 

Vendors  also  can  add  to  the  problem  by  marketing 
equipment  as  secured,  when  in  reality  it  is  just  capable 
of  being  secured,  which  means  the  buyer  has  to  add  the 
necessary  technology.  In  other  cases,  the  vendor  will  send 
equipment  with  all  the  security  mechanisms  turned  off, 
leaving  it  to  the  buyer  to  turn  it  on. 

Electric  utility  companies  often  have  to  deal  with  a 
problem  that’s  specific  to  terminal  servers,  Weiss  says. 
Federal  cybersecurity  requirements  for  the  power  industry 
don’t  cover  serial  port  servers,  so  when  utility  companies 
assess  their  security  they  often  skip  over  terminal  servers, 
which  don’t  show  up  on  their  compliance  checklists. 

“They  don’t  even  have  to  look  for  these  [servers],” 

Weiss  says. 

One  reason  terminal  servers  are  often  equipped  with 
only  light  security  is  that  most  of  the  devices  were  not  de¬ 
signed  to  be  used  with  critical  industrial  control  systems  or 
other  vital  equipment.  Therefore,  experts  recommend  that 
such  high-value  hardware  operate  on  a  separate  network, 
such  as  a  virtual  LAN,  with  a  firewall  between  it  and  the 
corporate  network. 

White  a  virtual  LAN  would  mean  managing  a  separate 
network  and  set  of  credentials  for  administrators,  that  so¬ 
lution  would  be  far  less  trouble  than  having  the  equipment 
compromised  by  a  hacker,  says  Matthew  Luallen,  president 
and  co-founder  of  CYBATI,  which  teaches  people  how  to 
secure  industrial  control  systems. 

“Administrative  systems  are  high-value  targets,”  Luallen 
says.  “Once  somebody  is  in,  they’re  at  admin  privileges.” 


Elite  Cleaning  Squad 


MBM  Cleaning 


’^jf'  ‘  nr 

gjJJT  ,  • ’1  W‘ 

I  •] 

jppijK 

LivingSocial  Breach  May 
Have  Wide-Ranging  Effects 

ABOUT  60  PERCENT  OF  LIVINGSOCIAL  MEMBERS  REUSE 
their  passwords,  according  to  a  report  released  by  a  password-man¬ 
agement-software  maker. 

The  company,  Dashlane,  also  reported  that  the  typical  Internet 
surfer  reuses  the  same  password  for  an  average  of  49  websites. 

Those  numbers  could  be  bad  news  for  members  of  the  deal  site 
LivingSocial,  which  had  to  reset  the  passwords  of  about  50  million 
users  last  week  after  it  discovered  those  credentials  had  been  com¬ 
promised  in  a  data  breach. 

“The  problem  with  the  breach  is  not  just  that  your  LivingSocial 
password  got  out  there  on  the  Web,”  says  Dashlane  Marketing  Vice 
President  Nishant  Mani.  “It’s  that  that  same  password,  along  with 
the  same  login  ID,  which  most  people  seem  to  use  on  many  other 
sites,  is  now  out  there.” 

While  it’s  well  known  that  many  people  reuse  passwords  and  use 
weak  passwords,  such  as  123456,  for  many  non-sensitive  websites, 
the  trouble  is  that  they  also  use  those  practices  at  websites  that  do 
store  sensitive  personal  information. 

In  its  letter  to  users,  LivingSocial  asked  its  members  to  change 
not  only  their  LivingSocial  password,  but  also  their  passwords  at 
other  sites  where  they  may  have  reused  the  password.  “I’m  glad 
they  did  that,”  Mani  said.  “Most  sites  don’t  do  that.  They  just  say  to 
change  the  password  to  their  site.” 

Unfortunately,  if  Dashlane’s  data  is  any  indicator,  more  than  half 
the  members  will  reuse  a  password  they’re  using  elsewhere  or  mod¬ 
ify  their  compromised  password  in  a  weak  way,  such  as  by  changing 
“password”  to  “password2.” 

That’s  if  they  change  their  password  at  all.  “They  tell  you  to 
change  your  password,  but  I  was  able  to  use  the  exact  same  one,” 
says  Mike  Gross,  director  of  professional  services  and  risk  manage¬ 
ment  at  41st  Parameter,  a  maker  of  fraud-prevention  software. 

-John  P.  Mello  Jr. 


8  www.csoonline.com  June  2103 


Jailbroken  Google  Glass  Is  No 
More  Risky  Than  Smartphones 


June  2103  www.csoonline.com  9 


GOOGLE  GLASS  POSES  NO  GREATER  SECURITY  RISK  TO 
companies  than  smartphones  or  other  technology  that  people  can  use 
to  secretly  record  video  and  snap  pictures,  experts  say. 

The  security  risks  of  Google  Glass,  which  many  see  as  the  beginning 
of  mass-market  wearable  computing,  have  come  under  scrutiny  after  a 
hacker  showed  the  headset  could  be  jailbroken. 

The  model  rooted  by  Android  and  iOS  developer 
Jay  Freeman  was  sold  only  to  developers.  Glass  is  not 
yet  available  to  the  general  public. 

Freeman  cracked  Glass  in  two  hours  by  exploit¬ 
ing  a  well-known  vulnerability  in  Android  4.0.4,  the 
version  of  the  operating  system  that  ships  with  the 
device.  Once  in,  Freeman  was  able  to  fully  control  the  device,  bypassing 
the  security  mechanisms  put  in  place  by  Google.  Tech-savvy  people  will 
often  jailbreak  a  device  in  order  to  run  applications  or  to  modify  it  in 
ways  not  allowed  by  the  manufacturer. 

The  Glass  break-in  did  not  surprise  Tim  Bray,  developer  advocate  for 
Google.  “Yes,  Glass  is  hackable.  Duh,”  he  wrote  on  Twitter. 

In  an  interview  with  Forbes,  Freeman  was  not  yet  sure  what  he 
could  do  with  the  device  now  that  he  had  access  to  its  software.  Jason 
Perlow,  senior  technology  editor  at 
ZDNet,  thinks  that  a  jailbroken  Glass 
could  be  modified  to  secretly  record 
video  and  take  pictures  without  the 
user  knowing. 

As  a  recording  device,  the  current 
version  of  Glass  has  serious  limita¬ 
tions.  With  roughly  12GB  of  usable 
storage,  there  is  not  much  room  for  a 
lot  of  video,  although  that  is  plenty  of 
capacity  for  pictures. 

Battery  life  is  also  not  great.  A 
person  reading  email  and  taking 
some  pictures  and  short  video  could 
get  roughly  five  hours,  according  to  a 
review  on  Engadget.  That  time  would 
fall  dramatically  if  the  user  took  a  lot 
of  video. 


These  limitations  would  make  Glass  a  poor  alternative  to  small 
video  devices  already  available  if  someone  wanted  to  secretly  record  in 
an  office,  says  Anton  Chuvakin,  an  analyst  for  Gartner. 

“It's  completely  unrealistic,  but  exciting  to  talk  about,”  Chuvakin 
says  of  using  Google  Glass  in  a  clandestine  operation. 

Because  of  the  hardware  limitations,  jailbreak¬ 
ing  the  device  does  not  make  it  much  riskier.  “To  me, 
the  risk  of  a  rooted  Glass  device  is  similar  to  a  rooted 
smartphone,"  he  says. 

In  addition  to  Glass’  weak  capabilities  as  a  re¬ 
corder,  it  is  also  far  more  expensive  than  much  better 
stealthy  video  equipment.  “Glass  could  certainly  be 
used  for  espionage,  but  it  is  a  very  expensive  toy  to  use  for  that  purpose 
and  has  little  to  no  advantage  over  already  existing  methods,”  says 
Chester  Wisniewski,  a  senior  security  adviser  for  Sophos. 

The  bigger  security  issue  with  the  current  version  of  Glass  is  that  it 
doesn’t  have  a  mechanism  to  set  a  password  for  the  device,  Wisniewski 
says.  “But  we  can  assume  that  a  production-ready  version  would  not 
ship  with  such  shoddy  security.” 

-An tone  Gonsalves 


“Yes,  Glass  is 
hackable.  Duh.” 

-TIM  BRAY,  DEVELOPER 
ADVOCATE  FOR  GOOGLE 


Google  founder  Sergey  Brin  (L)  and 
designer  Diane  von  Furstenberg  watch 
a  rehearsal  at  New  York  Fashion 
Week  in  September.  The  show  was 
also  launch  event  for  Google  Glass. 


Carlos  Allegri/Reuters 


E5H33B3 

It’s  Time  to  Wash  Away  the  Stench  of  CISPA 


ENEMY  EARS  are  listening 


AS  THE  NATION’S  ATTENTION  WAS 
focused  on  the  Boston  Marathon  bombings 
in  mid-April,  the  House  of  Representatives 
quietly  passed  a  cybersecurity  bill  that  is 
nothing  more  than  a  license  for  the  govern¬ 
ment  and  private  entities  to  spy  on  citizens 
and  customers.  It  faces  a  tougher  path  in  the 
Senate  (where  it’s  currently  stalled  in  com¬ 
mittee)  and  at  the  White  House  (where  the 
president  has  vowed  to  veto  it),  but  plenty 
can  go  wrong  as  the  bill  makes  its  way  to  the 
other  end  of  Pennsylvania  Avenue. 

On  the  surface,  the  Cyber  Intelligence 
Sharing  and  Protection  Act  (CISPA)  is  about 
fighting  those  who  would  attack  our  online 
infrastructure.  Its  stated  objective  is  to  bolster 
the  sharing  of  Internet  traffic  intelligence  be¬ 
tween  the  U.S.  government  and  the  country’s 
technology  and  manufacturing  companies. 

We've  heard  about  the  government’s  call 
for  more  information  sharing  quite  a  bit. 

Here’s  the  problem:  Many  in  private  industry 
already  share  their  data.  The  government 
doesn’t  share  back.  I’ve  heard  from  many  a 
CSO  in  the  past  year  about  this.  They’ll  send 
nuggets  of  information  to  the  FBI,  for  exam¬ 
ple,  only  to  hit  a  wall  when  trying  to  get  the 
agency  to  return  the  favor. 


Information  sharing  only  works  when  the 
information  flows  in  both  directions. 

But  that’s  not  why  I  consider  this  legisla¬ 
tion  bogus.  The  main  problem  is  that  this  bill, 
if  made  law,  would  be  a  civil  liberties  killer. 

Privacy  groups  correctly  point  out  that 
CISPA  would  let  private  companies  share  a 
broad  range  of  customer  data  with  each  other 
and  with  government  agencies.  It  does  not 
require  companies  to  scrub  unnecessary  cus¬ 
tomer  information  from  what  they  share,  and 
it  includes  too  much  protection  from  lawsuits 
for  companies  that  share. 


People  love  to  complain  that  Congress  is 
an  impotent  institution  that  can’t  get  any¬ 
thing  done.  The  Senate  is  often  criticized  for 
being  too  slow.  That’s  not  such  a  bad  thing 
when  you  have  legislation  like  this.  As  a  friend 
recently  noted  on  Twitter,  legislative  gridlock 
is  necessary  to  protect  the  public  from  laws 
that  can  harm  us. 

Even  if  this  bill  dies  in  committee,  which 
looks  likely,  it’s  come  back  from  the  dead  once 
before,  largely  unchanged.  To  prevent  the 
passage  of  CISPA  or  something  a  lot  like  it,  we 
all  need  to  make  our  voices  heard. 


Google  Play  Changes  Bring  Cautious  Optimism  on  Android  Security 


GOOGLE’S  DECISION  TO  UPDATE  GOOGLE  PLAY’S  AN- 
droid  apps  only  through  the  online  store  will  likely  improve  secu¬ 
rity  on  the  mobile  platform,  but  by  how  much  remains  to  be  seen, 
experts  say. 

Google  recently  changed  its  Play  Developer  Program  policies 
to  say,  “an  app  downloaded  from  Google  Play  may  not  modify,  re¬ 
place  or  update  its  own  APK  binary  code  using  any  method  other 
than  Google  Play's  update  mechanism."  The  APK,  or  Android  ap¬ 
plication  package  file,  is  the  format  used  to  distribute  and  install 
apps  in  the  Android  operating  system. 


The  move  makes  it  much  more  difficult  to  turn  a  benign  app 
into  a  malicious  one  once  it  leaves  Google  Play.  When  apps  could 
be  updated  through  a  third-party  server,  unscrupulous  developers 
could  install  malware  or  have  an  upgrade  gather  more  personal 
data  than  the  previous  version. 

How  much  more  security  the  policy  change  brings  will  depend 
on  the  technology  Google  uses  to  authenticate  updates.  Best 
practices  would  have  every  app  and  update  come  with  a  digital 
certificate  that  tells  the  Android  operating  system  that  the  code  is 
from  Play.  Apple  uses  certificates  to  authenticate  iPhone  and  iPad 


10  www.csoonline.com  JUNE  2103 


U.S.  Office  of  War  Information,  Graphics  Division 


Beatrice  Murch/Flickr 


Anonymous’s 
Attack  on 
Israel  Fizzles— 
Will  Its  U.S. 
Attack  Fail  Too? 

ANONYMOUS’  FAILED  ATTACK 
against  Israeli  websites  in  April  has  left  securi¬ 
ty  experts  cautiously  optimistic  that  the  hack- 
tivist  group  will  be  unsuccessful  in  its  plans  to 
disrupt  U.S.  government  and  banking  sites. 

According  to  a  post  on  Pastebin.com, 
Anonymous  has  plans  to  launch  distributed 
denial-of-service  (DDoS)  attacks  against  U.S. 
government  sites  and  more  than  130  Ameri¬ 
can  financial  institutions,  ranging  from  the 
largest  in  the  country  down  to  community 
banks.  The  motive  is  outrage  over  what  the 
group  calls  America's  war  crimes. 

“America  you  have  committed  multiple 
war  crimes  in  Iraq,  Afghanistan,  Pakistan, 
and  recently  you  have  committed  war  crimes 
in  your  own  country....Now  it  is  our  time  for 
our  Lulz  [fun],”  the  group  said  in  another 
Pastebin.com  post. 


apps  and  upgrades,  which  are  only  available 
through  the  company’s  App  Store. 

Managing  the  certificates  will  add  to  the 
cost  of  running  Google  Play,  but  anything  less 
would  just  make  it  easier  for  hackers  to  trick  the 
operating  system,  says  Kurt  Stammberger,  vice 
president  for  market  development  at  Mocana, 
which  makes  security  tools  for  apps  and  mobile 
devices.  If  updates  are  signed  by  Google  Play,  it 
would  be  much  more  difficult  for  someone  to 


DDoS  attacks  have  become  a  regular  occur¬ 
rence  for  financial  and  government  organiza¬ 
tions.  For  example,  a  group  that  calls  itself 
the  Izz  ad-Din  al-Qassam  Cyber  Fighters  has 
launched  several  waves  of  attacks  against 
U.S.  banks  starting  last  September.  In  the  lat¬ 
est  assault,  which  began  Feb.  25,  the  group 
targeted  financial  brokerages,  apparently 
hoping  they  would  be  less  prepared  than  the 
banks.  U.S.  government  officials  believe  Iran  is 
behind  the  attacks. 

Because  of  al-Qassam,  security  experts 
believe  the  largest  banks  are  well  prepared 
for  Anonymous,  if  its  so-called  Oplsrael  is  any 
indication.  Where  al-Qassam  has  used  the 
traffic-generating  muscle  of  a  server  botnet  to 


download  an  app  from  the  store,  reverse  engi¬ 
neer  it  to  create  a  malware-carrying  counterfeit, 
and  then  resell  it  in  another  store,  says  Guntner 
Ollmann,  CTO  at  lOActive. 

The  one  downside  of  having  everything  com¬ 
ing  from  Google  Play  is  that  it  might  delay  the 
deployment  of  an  emergency  patch  to  fix  a 
security  flaw,  Ollmann  says.  Nevertheless,  the 
positives  outweigh  any  negatives  from  the  new 
policy.  -Antone  Gonsalves 


try  to  overwhelm  banking  sites,  Anonymous 
used  no  botnet  in  its  attacks  on  Israeli  sites, 
none  of  which  suffered  any  major  disruption. 

“The  objective  of  Oplsrael  was  to  take  the 
country  off  the  Internet,  and  there  was  noth¬ 
ing  close  to  it,”  says  Ronen  Kenig,  director  of 
security  product  marketing  at  Radware. 

While  Anonymous  has  not  described  its 
attack  methods  for  what  it  calls  OpUSA,  Rad¬ 
ware  assumes  they  will  be  similar  to  those 
used  in  Oplsrael.  But  the  plan  of  attack  for 
the  U.S.  comes  with  a  twist,  in  that  Anony¬ 
mous  also  plans  to  target  small  banks,  whose 
defenses  are  unlikely  to  be  as  sophisticated  as 
those  of  the  nation’s  largest  financial  institu¬ 
tions.  Big  banks  often  have  dedicated  IT  secu¬ 
rity  staff,  a  lot  more  bandwidth 
and  the  technology  to  detect  and 
mitigate  DDoS  attacks. 

Whether  or  not  the  next 
Anonymous  attacks  are  success¬ 
ful,  DDoS  attacks  as  a  whole  are 
becoming  more  worrisome,  says 
Avivah  Litan,  an  analyst  for  Gart¬ 
ner.  That's  because  the  attackers 
are  gradually  building  larger  bot¬ 
nets  with  massive  firepower  and 
are  developing  better  tools  to  at¬ 
tack  the  application  layer  of  sites, 
which  are  more  vulnerable  and 
do  not  require  a  huge  amount  of 
traffic  to  take  down. 

-Antone  Gonsalves 


June  2103  www.csoonline.com  11 


Tech 


DDoS  Attacks  Turn  Outdated 
Network  Protocols 
Against  Their  Hosts 


AGING  NETWORKING  PROTOCOLS  STILL  EM- 
ployed  by  nearly  every  Internet-connected  device  are 
being  abused  by  hackers  to  conduct  distributed  denial-of- 
service  (DDoS)  attacks. 

Security  vendor  Prolexic  found  that  attackers  are  increas¬ 
ingly  using  the  protocols  for  what  it  terms  “distributed  re¬ 
flection  denial-of-service  attacks”  (DrDos),  where  a  device 
is  tricked  into  sending  a  high  volume  of  traffic  to  a 
victim’s  network. 

"DrDos  protocol  reflection  attacks  are  possi¬ 
ble  due  to  the  inherent  design  of  the  original  ar¬ 
chitecture,”  reads  a  Prolexic  white  paper.  “When 
these  protocols  were  developed,  functionality 
was  the  main  focus,  not  security.” 

Government  organizations,  banks  and  com¬ 
panies  are  targeted  by  DDoS  attacks  for  a  variety 
of  reasons.  Hackers  sometimes  use  DDoS  attacks 
to  draw  attention  away  from  other  mischief,  and 
other  times  they  simply  want  to  disrupt  an  organi¬ 
zation  for  political  or  philosophical  reasons. 

One  of  the  targeted  protocols,  known  as  Network 
Time  Protocol  (NTP),  is  used  in  all  major  operating  systems, 
network  infrastructure  and  embedded  devices,  Prolexic 
wrote.  It  is  used  to  synchronize  clocks  among  computers  and 
servers. 

A  hacker  can  launch  at  attack  against  NTP  by  sending 
many  requests  for  updates.  By  spoofing  the  origin  of  the  re¬ 
quests,  the  NTP  responses  can  be  directed  at  a  victim  host. 

It  appears  the  attackers  are  abusing  a  monitoring  func¬ 
tion  in  the  protocol  called  NTP  mode  7.  The  gaming  industry 
has  been  targeted  by  this  style  of  attack,  Prolexic  says. 

Other  network  devices,  such  as  printers,  routers,  IP  video 
cameras  and  a  variety  of  other  Internet-connected  equip¬ 
ment  use  an  application-layer  protocol  called  Simple  Net¬ 
work  Management  Protocol  (SNMP). 

SNMP  communicates  data  about  device  components, 
such  as  measurements  or  sensor  readings.  SNMP  devices 
return  three  times  as  much  data  as  when  they're  pinged, 
making  them  an  effective  way  to  attack.  Again,  an  attacker 
will  send  a  spoofed  IP  request  to  an  SNMP  host,  directing 
the  response  to  a  victim. 


Prolexic  says  there  are  numerous  ways  to 
mitigate  an  attack.  The  best  advice  is  to  dis¬ 
able  SNMP  if  it  is  not  needed. 

The  US-CERT  warned  administrators  in 
1996  of  a  potential  attack  scenario  involving 
another  protocol,  Character  Generator  Proto¬ 
col,  or  Chargen. 

It  is  used  as  a  debugging  tool  because  it  sends  data  back 
regardless  of  the  input.  But  Prolexic  wrote  that  it  "may  allow 
attackers  to  craft  malicious  network  payloads  and  reflect 
them  by  spoofing  the  transmission  source  to  effectively  di¬ 
rect  it  to  a  target.  This  can  result  in  traffic  loops  and  service 
degradation  with  large  amounts  of  network  traffic.” 

US-CERT  recommended  at  that  time  to  disable  any  un¬ 
needed  user  datagram  protocol  services,  like  Chargen. 

-Jeremy  Kirk 


When  these 
protocols  were 
developed, 
functionality  was 
the  main  focus, 
not  security. 


12  www.csoonline.com  June  2103 


Metropolitan  Police  Service 


**  .& 


Phishing  Gang  Jailed  for  Stealing 
Woman’s  $1.6  Million  Life  Savings 

A  HEARTLESS  PHISHING  GANG  THAT  STOLE  AND  THEN  FRITTERED  AWAY  A 
British  woman’s  entire  £1  million  ($1.6  million)  life  savings  on  items  including  gold  and  cheese¬ 
burgers  have  been  handed  heavy  sentences  by  a  London  court. 

The  gang’s  ringleader,  Nigerian  national  Rilwan  Adesegun  Oshodi,  was  sentenced  to  eight 
years  in  prison  and  ordered  to  pay  back  the  money,  although  this  might  prove  difficult  given  that 
the  cash  has  reportedly  already  been  spent. 

What  makes  this  phishing  case  stand  out  from  thousands  of  similar  crimes-other  than  the 
fact  that  the  gang  stole  such  a  large  sum  of  cash  from  a  single  person-is  the  brazen  way  in 
which  the  conspirators  spent  the  money,  blowing  much  of  it  during  a  single  lavish  three-day 
shopping  trip  in  January  2012. 

Pictures  released  to  the  court  during  the  case  showed  Oshodi  posing  with  a  “cash  sandwich"- 
bank  notes  inserted  between  slices  of  bread-and,  in  other  photos,  holding  up  bottles  of  cham¬ 
pagne  to  advertise  his  newfound  wealth.  Police  say  the  gang  also  used  the  stolen  money  to  buy 
cheeseburgers,  expensive  computers  and  even  gold  bars. 

Once  the  theft  was  detected,  the  gang  members  were  doomed  to  be  caught-the  gang  used 
so-called  “mules”  to  siphon  off  the  money  without  the  bank  noticing,  and  these  conspirators 
left  a  trail  that  led  right  to  the  rest  of  the  perpetrators.  Arrests  were  made  in  March  2012,  only 
weeks  after  the  extravagant  shopping  trip,  and  the  gang  members  were  found  guilty  this  April. 

The  man  who  phished  the  victim’s  bank  account  details  and  then  sold  the  information  to  Os¬ 
hodi  for  about  $4,900,  Egyptian  national  Tamer  Hassanin  Zaky  Abdelhamid,  was  sentenced  to 
six  years  and  ordered  to  pay  $159,000. 

The  woman  used  by  Oshodi  to  impersonate  the  victim  so  the  bank  would  redirect  its  commu¬ 
nications  to  the  criminals,  Annette  Jabeth,  was  sentenced  to  four  years.  One  of  the  mules  used 
by  the  gang,  Chika  Okala,  received  a  four-year  sentence;  four  others  got  15-month  and  one-year 
sentences  for  smaller  roles  in  the  crime. 

“I  hope  that  these  sentences  act  as  a  deterrent  not  just  to  those  who  commit  cybercrime  but 
also  to  those  who  seek  to  benefit  from  the  proceeds  of  cybercrime,”  says  Detective  Inspector 
Stewart  Garrick  of  the  London  police.  -John  E.  Dunn 


McAfee  Buys 
Firewall  Maker 
Stonesoft 

MCAFEE  PLANS  TO  Ac¬ 
quire  Stonesoft,  a  maker  of 
firewall  products,  for  $389 
million,  the  companies  an¬ 
nounced  last  month. 

The  Intel  subsidiary  said 
firewalls  are  one  of  the 
fastest-growing  products 
in  network  security,  an  area 
where  McAfee  wants  to  ce¬ 
ment  its  market  position, 
according  to  a  news  release. 
Stonesoft’s  products  will  be 
integrated  with  McAfee’s, 
and  its  technology  will  stand 
alongside  McAfee’s  IPS  Net¬ 
work  Security  Platform  and 
Firewall  Enterprise. 

Stonesoft,  which  has 
6,500  customers,  also 
makes  evasion-prevention 
systems  and  SSL  VPN  soft¬ 
ware.  In  addition,  the  com¬ 
pany  does  research  into 
what  it  calls  “advanced 
evasion  techniques,”  or 
methods  used  by  hackers  to 
prevent  their  intrusions  from 
being  detected. 

Governments  and  compa¬ 
nies  are  increasingly  under 
pressure  from  hackers  who 
seek  to  infiltrate  networks 
and  steal  intellectual  prop¬ 
erty.  They  also  face  the  grow¬ 
ing  challenge  of  detecting 
sophisticated  attacks  sus¬ 
pected  to  be  sponsored  by 
nation  states. 

In  2012,  Stonesoft  re¬ 
ported  $52.5  million  in  net 
sales,  up  from  2011,  accord¬ 
ing  to  the  company’s  annual 
report.  -Jeremy  Kirk 


June  2103  www.csoonline.com  13 


What  Not  to  Do  When  You’re 
Trying  to  Find  Vulnerabilities 

Otherwise  sound  attempts  to  uncover  problems  can  go  awry  when  the  security  team  makes  these  four  common 
blunders.  Our  experts  explain  what  to  be  wary  of  during  a  vulnerability  assessment,  by  joan  goodchild 


IF  YOU'RE  RUNNING  A  ROBUST  SECU- 
rity  program,  you  regularly  conduct  security 
and  vulnerability  assessments  of  both  your 
network  and  your  physical  environments.  But 
all  too  often,  even  the  best  efforts  at  detect¬ 
ing  and  eradicating  vulnerabilities  are  brought 
down  by  a  few  common  mistakes. 


At  the  2013  CS040  Security  Confab  and 
Awards  event  in  Atlanta,  attendees  heard 
from  two  expert  security  veterans  about  best 
practices  for  vulnerability  assessment. 

Roger  Johnston  is  the  leader  of  the  Vulner¬ 
ability  Assessment  Team  at  Argonne  National 
Laboratory.  He  and  his  team  are  often  charged 


with  finding  the  vulnerabilities  in  physical 
security  systems.  Jerry  Walters  is  director  of  in¬ 
formation  security  with  OhioHealth,  a  regional 
nonprofit  hospital  network  headquartered  in 
Columbus,  Ohio.  Walters  and  his  team  are  re¬ 
sponsible  for  the  overall  information  security 
program,  including  risk  management,  vulner- 


14  www.csoonline.com  June  2103 


Thinstock 


II^JwuacJL 


EARN 

up  to  19  CPE  Credits 
BUILD  A  NETWORK 

OF  THE 

Most  Dynamic  Women 
in  Our  Industry 

TAKE  HOME  TOOLS, 

Best  Practices 
&  Solutions  to 
Achieve  Success 


y\JctnMv  o(j 

Am)C(AcI^ 

Nominate  your  peers,  clients 
and  customers  for  the 
Women  of  Influence  Awards. 

Co-presented  by  CSO  Magazine  and 
Alta  Associates,  the  awards  honor  four 
women  for  their  accomplishments  and 
leadership  roles  in  the  fields  of  security, 
risk  management  and  privacy. 

Winners  will  be  announced  at  a 
ceremony  during  the  EWF  event. 

FOR  NOMINATION  FORM 
GOTO:  www.ewf-usa.com 

Nominations  must  be  submitted 
by  August  15,  2013 


Alta  Associates’ 

Executive 
Women’s  Forum 

Information  Security,  Risk  Management  £  Privacy 


October  22-24,  2013 

Hyatt  Regency  at  Gainey  Ranch  Scottsdale,  AZ 


Utilizing  Risk 
as  an  Enabler 


A  View  From  The  Top 

Patricia  Titus,  CISO,  Francoise  Gilbert  author  Global  Privacy 
and  Security  Law  and  Samantha  Ravich,  Co-Chair  National 
Commission  for  Review  of  R&D  Programs  in  the  Intelligence 
Community  provide  executive  briefings  and  facilitate  discussion 
groups  on  issues  facing  CISOs  &  CPOs,  the  global  threat  land¬ 
scape,  international  privacy  laws  and  government  regulations. 

Deep  Dives  &  Strategic  Approaches 

Edna  Conway,  Cisco's  Chief  Security  Officer  of  Global  Supply  Chain 

shares  a  method  for  driving  protection,  prevention  and  detection 
of  security  impediments  in  the  next  security  frontier:  Supply  Chain. 
Interactive  workshops  and  lightning  talks  focus  on  emerging 
challenges  in  mobility,  third  party  risk,  metrics  and  big  data. 

Application  of  Best  Practice 

Joanne  Moretti,  CMO  at  Dell  Software  teaches  a  methodology  and 
framework  for  collecting  and  tying  security  initiatives  directly  to 
business  drivers.  Learn  how  to  clearly  message  the  business  value 
of  security/risk/privacy  investments. 


FORUM  HOST  5l 
AWARDS  CO-PRESENTER 


FORUM  HOST  & 
AWARDS  CO-PRESENTER 


DIAMOND  SPONSORS 


CariMfrir  .MrMon  I  nivrn.il> 

Information  Networking  Institute 


flX4.Lj  Software  ini 


Oooooooooooooo6c»x<»ooooqoooooc<k.<>coc«xkk‘0^x>'>^>o<^>>>>>«<k>c*c<«>x*ck>c<<«xk> 

a  Microsoft  '/Symantec 


I 


■  Risk 


ability  management,  incident  response,  gov¬ 
ernance  and  compliance  for  the  organization. 

Johnston  and  Walters  have  somewhat 
different  perspectives  on  vulnerability  assess¬ 
ment,  but  they  agree  on  these  four  mistakes 
that  security  teams  commonly  make  in  the 
assessment  process. 

Limiting  Your  Vision 

When  a  team  sets  out  to  create  a  plan  for 
vulnerability  testing,  no  idea,  even  the  most 
far-fetched,  should  be  off  the  table,  says 
Johnston. 

That  means  that  during  the  brainstorming 
and  planning  sessions,  even  the  wildest,  most 
far-fetched  scenarios  should  be  considered. 

Johnston  says  he’s  observed  that  creativity 
seems  stifled  by  the  presence  of  a  manager  in 
the  room  and  the  perception  that  security  is 
too  serious  to  float  wild  ideas  for  testing. 

That’s  a  mistake. 

“The  best  ideas  come  late,"  he  says.  “You’re 
doing  yourself  a  disservice  if  you  shut  down 
ideas  too  early.” 

Johnston  also  encourages  all  security  prac¬ 
titioners  to  think  like  the  bad  guys  if  they  really 
want  to  get  at  the  most  serious  problems. 

Letting  Compliance 
Get  in  the  Way 

As  a  security  manager  in  the  healthcare  indus¬ 
try,  Walter’s  work  is  obviously  intricately  con¬ 
nected  to  HIPAA. 

“HIPAA  is  very  non-prescriptive.  With 
HIPAA,  the  intent  is  go  and  do  good.  It’s  left 
open  to  interpretation.” 

Walters  says  that  as  a  result,  there  is  a 
lot  of  speculation  in  the  healthcare  industry 
about  HIPAA,  and  people  are  attempting  to 
define  how  the  act  should  be  applied. 

Johnston  notes  that  attempts  to  remain  in 
compliance  often  do  more  harm  than  good.  He 
believes  security  teams  need  to  give  a  certain 
amount  of  pushback  to  be  effective  during 
their  vulnerability  assessments.  At  least  30 
percent  of  regulatory  requirements  are  bad 
news,  he  says. 

“For  example,  there  are  requirements 
that  guards  have  to  go  to  their  stations  at 
set  times  during  the  day-therefore  making 


it  completely  predictable  when  they  will  be 
there.” 

This  is  the  kind  of  requirement  Johnston 
thinks  a  team  should  push  back  on  because 
it  increases  the  organization’s  vulnerability, 
rather  than  reducing  it. 

“As  a  security  professional  you  have  two 
jobs:  compliance  and  security,"  says  Johnston. 
“Sometimes  they  overlap.  You  have  to  do 
what  you  can  to  make  the  overlap.  A  compli¬ 
ance  auditor  might  be  suspicious.  If  they  are, 
push  back.  On  the  other  hand,  some  parts  of 
compliance  are  worthwhile.  Take  what  you 
can  from  the  good  parts  of  compliance  and 
run  with  it.  Go  above  and  beyond  in  the  parts 
you  agree  with.” 

Bad  Reporting 

Walters  says  that  after  many  assessments, 
he's  had  outside  consultancies  simply  “drop 
off  a  three-ring  binder  full  of  problems  and 
leave." 

This  is  a  perfect  example  of  bad,  ineffective 
reporting. 

“We  want  people  to  shake  the  trees,”  says 
Walters.  “But  if  the  reporting  just  focuses  on 
the  problems,  they  are  not  providing  answers." 

Johnston  says  reporting  goes  really  awry 
when  teams  are  too  critical  of  the  mistakes 
they  see  in  assessments. 

"You  may  find  a  lot  of  mistakes  being 
made.  That’s  OK.  Security  is  hard.  But  you 
don’t  have  to  fire  anyone.  Instead  of  finding 
people  to  blame,  focus  on  fixing  the  mis¬ 
takes,”  Johnston  says. 

“Also,  keep  in  mind  that  all  risk  manage¬ 
ment  is  ultimately  subjective,  even  when 
you’re  using  numbers.  I'm  not  opposed  to  as¬ 
signing  numbers,  but  don't  go  overboard  with 
assigning  them,”  he  adds. 

Failing  to  Share 
What  You’ve  Learned 

You  know  what  vulnerabilities  the  assessment 
uncovered,  but  do  the  employees  in  your  orga¬ 
nization  know? 

Of  course,  there  may  be  many  things  you 
can’t  disclose  to  them.  But  what  can  you 
share  that  brings  the  issue  of  security  to  the 
forefront  for  everyone?  How  can  you  get  them 


“The  best  ideas 
come  late.  You’re 
doing  yourself 
a  disservice  if 
you  shut  down 
ideas  too  early.” 

-ROGER  JOHNSTON,  LEADER  OF  THE 
VULNERABILITY  ASSESSMENT  TEAM, 
ARGONNE  NATIONAL  LABORATORY 

invested  in  being  part  of  the  solution  to  the 
problems  your  assessment  found? 

“Most  regular  employees  see  security  as 
compliance  thing,”  says  Johnston.  “They  don't 
see  it  as  something  relevant  to  them.  We  need 
to  motivate  regular  employees  and  answer 
the  question  of,  ‘What's  in  it  for  me?’” 

Johnston  suggests  a  conversation  that 
includes  not  only  lessons  learned  from  the 
vulnerability  assessments,  but  also  examples 
of  headline-making  security  incidents  in  other 
organizations. 

"You’re  trying  to  build  a  culture,  not  a  de¬ 
partment,”  he  says.  “Security  is  everybody’s 
job.  It  sounds  cliche,  but  I  don’t  think  that 
resonates  in  many  organizations." 


16  www.csoonline.com  JUNE  2103 


CSO  Forum  on  Linked  [Q 


Share  best  practices  and  insight 
and  discuss  your  challenges  with 
your  security  executive  peers. 


The  CSO  Forum  is  where  members  of  the  security 
community  can  connect  and  collaborate  to  move  their 
security  and  technology  initiatives  and  careers  forward. 
If  you  are  a  senior  security  or  IT  professional,  we’d  love 
to  have  you  join— apply  for  membership  today. 


Visit  linkedin.com  click  Groups  and  search  for  “CSO  Forum’’ 

Facilitated  by  CSOOnline.com  and  CSO  Magazine 


CSO 


BUSINESS  RISK  LEADERSHIP 


V  W4— 


N.-.’oc 


TBk.— - - 


F  ovum 


IK*  1 


*  V  i 


^  n  l  •>.  .  tgm  -  ’*** 


mm  i— m  VM 


<  jr-iT 


■  Risk 


Find  Your  Risk  Tolerance  in  3  Simple  Steps 


CISOS,  IN  ADDITION  TO  DECIDING 
what  policies,  processes  and  technology  an 
organization  needs,  must  also  tackle  the 
even  more  significant  challenge  of  negotiat¬ 
ing  disputed  risk  issues.  But  the  process  for 
determining  risk  tolerance  is  fraught  with 
organizational  politics,  and  of  course  each 
organization  requires  a  customized  fit.  When 
deciding  on  a  process,  the  most  important  as¬ 
pects  to  consider  include  how  an  organization 
decides  on  risk  tolerance,  how  its  security  risk 
assumption  decision-making  works,  and  who 
has  the  authority  to  assume  security  risks. 

1.  Find  Your  Risk  Tolerance  Model 

Every  organization  has  a  risk  tolerance  model, 
whether  it’s  a  formal  documented  process, 
an  informal  process,  or  (usually)  something 
in  between.  Before  you  do  anything  else,  you 
first  you  need  to  determine  where  on  this 
spectrum  your  organization  lies. 

A  formal  documented  risk  tolerance  pro¬ 
cess  clearly  defines  who  can  assume  and  sign 
off  on  risks.  This  type  of  process  usually  shows 
up  in  organizations  with  mature  enterprise 
risk  management  (ERM)  processes,  and  it  es¬ 
tablishes  a  governance  procedure  and  is  often 
based  on  quantifying  risks  and  exposures. 

Even  in  these  organizations,  however,  the  ERM 
processes  often  do  not  adequately  simplify 
how  to  resolve  contested  security  issues. 

On  the  other  hand,  organizations  with 
informal  risk  tolerance  models  have  little  or 
no  documented  procedures.  Typically,  there’s 
an  unspoken  assumption  that  a  senior-level 
manager  should  be  informed  of  security  issues 
and  approve  the  risk  being  assumed.  Obvious¬ 
ly,  with  an  informal  risk  tolerance  model,  the 
organization’s  security  procedures  may  not  be 
consistent,  resulting  in  not  vetting  risks. 

2.  Figure  Out  What  Drives 
Your  Security  Standards 

1  Even  for  organizations  that  have  mature  ERM 
processes,  it’s  hard  to  implement  an  effective 
risk-assumption  process.  There  is  no  generally 


accepted  template  for  security  risk  assump¬ 
tion  model.  Some  organizations  determine 
their  risk  tolerance  levels  based  on  factors 
predominantly  driven  by  regulatory  compli¬ 
ance  concerns.  Some  are  driven  by  the  privacy 
and  security  risks  associated  with  their  IT 
practices.  Others  are  driven  by  industry  or 
competitive  pressure.  Many  are  driven  by  a 
mix  of  all  three  of  these. 

Because  motivating  factors  and  values 
behind  security  can  differ  greatly  between 
organizations,  it’s  imperative  to  establish  a 
truly  unique  and  individualized  risk  assump¬ 
tion  model  that  involves  the  CEO  and  even 
the  board  of  directors. 

3.  Know  Who  Can  Assume 
What  Risk— and  How 

All  risk  tolerance  models  should  deal  with 
three  critical  concerns:  Who  can  assume  risk, 
what  kind  of  risks  affect  the  entire  organiza¬ 
tion,  and  how  to  resolve  a  disagreement. 

The  first  step  is  to  choose  and  document 
who  can  make  security  risk  decisions.  At  mini¬ 
mum,  delegation  should  be  at  the  board  of  di¬ 
rectors  or  CEO  level.  Ideally,  though,  the  CISO 
serves  as  the  first  line  of  defense,  followed  by 
the  CEO  or  the  board  of  directors  if  the  risks 
need  to  be  escalated.  Business  unit  executives 
should  only  have  authority  to  make  risk  deci¬ 
sions  that  are  contained  within  the  boundary 
of  their  business  unit.  Much  like  CFOs  have 


delegated  enterprise 
authority  overspend¬ 
ing  matters  and  can 
overturn  or  challenge 
spending  decisions 
by  the  business  units, 
a  CISO  should  have 
similar  authority  over 
security  matters. 

Next,  organiza¬ 
tions  must  categorize 
enterprise  versus 
business-unit  risk. 
The  enterprise  should 
ask  if  the  risks  are  contained  within  one  busi¬ 
ness  unit  or  if  they  affect  multiple  business 
units  or  the  entire  enterprise. 

Finally,  organizations  should  document 
how  disputed  issues  are  escalated  and  re¬ 
solved  so  every  business  unit  knows  how  to 
resolve  disputes  and  who  needs  to  be  in¬ 
volved.  Documentation  includes  procedures 
to  categorize  the  risks  and  should  delegate 
authority  levels  by  function. 

Now  It’s  Your  Turn 

A  formal  security  risk  assumption  process 
that  is  documented  and  approved  by  the  CEO 
or  board  of  directors  is  a  critical  first  step  to 
resolving  contested  risk  tolerance  issues.  And 
it's  essential  that,  the  right  people  have  the 
right  level  of  authority  to  assume  enterprise 
security  risks  for  the  organization. 

Every  successful  CISO  must  determine  and 
navigate  the  risk  tolerance  level  of  their  own 
organization-no  matter  how  political  that 
process  gets.  But  as  painful  as  that  might  be, 
remember  that  risk  tolerance  will  drive  your 
organization’s  values. 


■  Craig  Shumard  is  principal  at  Shumard 
and  Associates,  a  security  consultancy  spe¬ 
cializing  in  measuring  information  security 
solutions.  He  also  serves  as  an  adviser  to 
Tenable  Network  Security  and  was  formerly 
CISO  at  CIGNA. 


18  www.csoonline.com  JUNE  2103 


Thinkstock 


CSO’s  e-Mail  Newsletters 


Keep  Up  To  Speed 

On  the  Security  Issues  Important  to  You 
Delivered  right  to  your  desktop 

|~7j  CSO  Update 

A  look  at  the  latest  security  news  and  analysis  on 
.  CSOonline.com,  delivered  twice  a  week. 

|7|  CSO  Salted  Hash 

IT  security  news  and  analysis,  over  easy,  delivered  daily. 

|~7]  CSO  News  Watch 

A  recap  of  the  week’s  top  news  stories. 

|7|  CSO  Career 

A  twice-monthly  newsletter  of  career  and  leadership- 
oriented  news,  articles  and  events  plus  job  postings. 

j~7j  CSO  Tech  Watch 

Twice-monthly  update  on  technologies  for  protecting  networks,  facilities, 
employees,  intellectual  property  and  more. 

|~7]  CSO  Security  Leader 

Monthly  leadership-related  articles  and  reports  from  CSO,  as  well  as  tips 
for  educating  employees  and  corporate  leadership. 

[7j  CSO  Continuity  &  Recovery 

A  twice-monthly  review  of  published  material  concerning 
business  continuity  and  disaster  recovery. 

|~7j  Security  Research  &  Metrics 

A  monthly  roundup  of  useful  security  research,  benchmarks  and  statistics. 


Sign  up  now  for  CSO’s 
complimentary  e-mail  newsletters 
www.CSOonline.com/newsletters 


BUSINESS  RISK  LEADERSHIP 


LEADERSHIP  STRATEGY  MANAGEMENT  SKILLS  CAREER 


Outstanding  Women  in  Infosec 

Four  award-winning  female  leaders  reflect  on  what  it  takes  to  thrive  in  a  male-dominated  industry 

BY  JOAN  GOODCHILD 


EACH  YEAR,  THE  EXECUTIVE  WOM- 
en’s  Forum  announces  its  Women  of  Influence 
Awards  at  its  annual  event. 

The  awards,  co-presented  by  Alta  Associ¬ 
ates  and  CSO  magazine,  recognize  outstand¬ 
ing  women  in  several  categories:  one  winner 
from  the  public  sector,  a  private  solutions  pro¬ 
vider  from  the  security  industry,  a  corporate 
practitioner  from  the  private  sector,  and  a  One 
to  Watch,  a  future  leader  in  the  security  field. 
This  year,  a  lifetime  achievement  award  was 
also  given.  The  winners  were  nominated  by 
peers  in  the  security  community. 

The  public-sector  honoree,  Aimee  Larsen 
Kirkpatrick,  is  the  former  director  of  partner¬ 
ship  engagement  and  strategic  initiatives  for 
the  National  Cyber  Security  Alliance,  a  public- 
private  partnership  dedicated  to  helping 
citizens  stay  safe  and  secure  online.  She  has 
created  education  and  awareness  programs, 
including  a  national  public  service  campaign 
to  develop  a  unified  message  on  Internet 
safety  for  all  citizens,  which  she  spearheaded. 

While  Larsen  Kirkpatrick  was  unavailable 
for  an  interview,  CSO  asked  each  of  the  other 
winners  of  the  2012  Women  of  Influence 
Awards  to  give  us  their  perspective  on  how 
they  became  so  successful  and  what  they 
learned  along  the  way-and  how  women  are 
making  their  mark  in  the  security  industry. 

ONE  TO  WATCH: 

CLAIRE  PENNLINE 

Claire  Pennline  is  an  engineering  manager  on 
the  security  operations  team  at  Google.  In  her 
5  years  at  the  company,  she  has  worked  in 


20  www.csoonline.com  JUNE  2103 


Want  to  be 
in  the  know 
about  the 
latest 
security 
topics  and 
trends? 


Become  a  CSO 

You’ll  gain  exclusive  access  to  premium 
content  and  resources,  including: 


■  What  to  buy.  In-depth  reviews  of  security 
and  IT  solutions 

■  Executive  and  Peer  Interviews  and  Insights. 
Deep  dives  with  the  industry’s  top  thinkers 

■  Practical  tips.  How-to  articles  for  security 
and  IT  professionals 

■  Exclusive  research  &  analysis.  Incisive  reports, 
case  studies,  and  more 

■  How  to  get  ahead.  Career  advice  from  industry 
experts  and  peers 

■  Invitations  to  select  events.  Get  the  inside  edge 


To  register  for  Insider  exclusive  content  visit: 

www.csoonline.com/insiders/index 


■  Lead 


various  parts  of  the  security  team  as  a  tech¬ 
nical  program  manager,  focused  on  a  broad 
set  of  projects,  including  pre-launch  security 
product  reviews  and  vulnerability  manage¬ 
ment.  She  is  now  works  on  client  platform 
hardening,  network  perimeter  security  and 
machine  identity.  Pennline  manages  a  team 
of  security  engineers  who  focus  on  innovation 
in  enterprise  security  and  developing  solutions 
that  make  it  easy  for  people  to  work  securely. 

What  valuable  advice  have  you  received 
along  the  way  in  your  career? 

I  was  very  fortunate  to  work  for  a  wonder¬ 
ful  mentor  right  out  of  college  who  really 
inspired  me.  He  demonstrated  his  belief  in 
me  by  giving  me  a  lot  of  responsibility  right 
off  the  bat.  There  were  other  senior  manag¬ 
ers  who  thought  I  would  fail  and  there  was 
a  lot  of  pressure.  Nonetheless,  he  set  high 
expectations  that  I  was  determined  to  live  up 
to,  and  I  credit  a  lot  of  my  determination  and 
drive  to  what  I  learned  in  that  first  real  profes¬ 
sional  role. 

When  he  moved  on  to  a  new  role  just  a 
year  later,  I  was  devastated,  and  he  saw  that. 
He  told  me  that  in  my  career,  nothing  would 
stay  the  same;  change  was  inevitable.  And 
those  who  found  a  way  to  embrace  change— 
to  thrive  on  it-were  the  successful  people. 

I  dried  my  tears  and  found  a  way  to  be  suc¬ 
cessful  in  his  absence.  From  then  on  I’ve  often 
been  the  one  to  force  the  change  myself  when 
I’m  not  satisfied. 

So  the  advice  is  to  embrace  change;  don’t 
be  afraid  of  it.  If  you  can,  control  it  and  make 
it  work  for  you.  Look  for  the  opportunities 
change  brings  and  latch  on  to  them. 

PRIVATE  SOLUTIONS: 

LAURA  MATHER 

Laura  Mather  is  a  worldwide  expert  in  com¬ 
bating  Internet  fraud,  and  she’s  a  sought-after 
speaker,  a  published  author  and  an  expert 
witness  on  the  topic.  Based  on  the  work 
she’s  done  with  Silver  Tail  Systems  since  the 
company's  inception  in  2008,  Fast  Company 
ranked  Mather  #16  on  its  annual  list  of  the 
100  Most  Creative  People  in  Business  for  2012, 
and  Business  Insider  named  her  to  its  list  of 
25  Powerful  Women  Engineers  in  Tech.  She 


is  also  the  managing  director  of  operational 
policy  for  the  Anti-Phishing  Working  Group, 
where  she  drives  Internet  policy  to  fight  phish¬ 
ing,  pharming  and  spoofing.  Before  co-found- 
ing  Silver  Tail  Systems,  she  spent  three  years 
in  fraud  prevention  and  anti-phishing  at  eBay, 
was  a  director  of  research  and  analysis  for  the 
online  division  of  Encyclopaedia  Britannica, 
and  spent  time  as  a  research  analyst  for  the 
National  Security  Agency. 

How  are  women  making  inroads  in 
security  today? 

I  look  at  the  world  more  broadly  than  just 
security,  so  I’ll  answer  this  question  based  on 
women  in  technology.  We  are  making  inroads 
now  in  that  we  are  again  starting  to  talk 
about  the  issue.  Five  or  10  years  ago,  nobody 
spoke  much  about  there  not  being  many 


women  in  technology.  Now  the  conversation 
has  started  again,  and  I  think  that  is  a  key 
driver  to  making  progress. 

What  more  needs  to  be  done? 

It’s  time  to  look  at  new  ways  to  further 
women’s  issues  in  security.  I’m  concerned  that 
the  feminist  movement  has  stalled.  I’ve  even 
heard  that  millennial  say  that  “feminism”  is 
the  “f-word.”  Women  in  technology  and  secu¬ 
rity  have  come  a  long  way  in  the  last  50  years, 
but  there  is  still  more  work  to  be  done. 

How  can  we  reignite  the  passion  for  get¬ 
ting  women  more  involved  in  security?  I’d 
like  to  get  women  to  start  thinking  outside 
the  box.  Is  there  a  technology  that  could 
help  enable  this?  For  example,  can  we  cre¬ 
ate  a  website  that  spotlights  careers-both 
security  and  otherwise-where  the  people 


22  www.csoonline.com  June  2103 


years  has  had  just  one  thing  in 
common  which,  I  eventually  real¬ 
ized,  is  my  personal  mission:  to 
work  on  important  and  complex 
subjects,  make  sense  of  them, 
and  help  guide  others  so  together 
we  do  the  right  things.  I  think 
that’s  why  I  enjoy  working  in  se¬ 
curity  and  privacy  so  much,  and 
why  I  consider  myself  so  lucky 
to  have  started  work  in  this  area 
when  I  did. 

What  goals  have  you  set  for 
yourself  for  the  future? 

To  keep  growing.  To  stay  pas¬ 
sionate.  To  always  be  authentic. 


LIFETIME  ACHIEVEMENT: 

SANDRA  HUGHES 

Sandra  Hughes  has  over  25  years 
of  managerial  and  executive  experience  at 
Procter  &  Gamble  in  a  variety  of  leadership 
roles  in  the  U.S.,  Germany  and  Belgium.  From 
2001  until  her  retirement  in  June  2012,  she 
was  responsible  for  developing  global  strate¬ 
gic  programs  addressing  problems  such  as  in¬ 
formation  governance  and  risk  management, 
ethics  and  compliance,  and  competitive  and 
technical  intelligence. 

How  are  women  making  inroads  in  secu¬ 
rity  professions  today?  What  more  needs 
to  be  done? 

As  the  number  of  women  with  technical 
degrees  continues  to  increase,  I  think  we  will 
continue  to  see  greater  strides  in  women  lead¬ 
ing  security  professions.  However,  another 
way  for  a  woman  to  make  inroads  is  through 
broadening  her  scope  to  interface  with  hot- 
topic  areas  like  privacy  and  information  gov¬ 
ernance,  which  statistically  tend  to  be  more 
gender-balanced  professions. 

Then,  as  more  corporations  think 
strategically  about  their  total  risk  universe- 
with  security/privacy/information  gover¬ 
nance/ethics  and  compliance  ranked  right  up 
there  with  the  risk  of  missing  financial  pro¬ 
jections,  for  example-women  with  a  scope 
broader  than  security  may  have  more  oppor¬ 
tunities,  or  at  least  more  options,  to  advance 
their  careers. 


What  has  your  personal  mission  been  in 
your  career?  Have  your  accomplishments 
lived  up  to  your  expectations  for  yourself? 

Everything  I've  enjoyed  doing  over  the 


being  interviewed  have  diverse 
backgrounds?  Maybe  a  woman 
CISO,  a  black  software  engineer,  a 
veteran  who  is  pursuing  a  degree 
in  physics.  It  would  be  nice  to  give 
younger  generations  role  models 
that  break  the  molds  of  what  so¬ 
ciety  tends  to  enforce  about  who 
can  do  what  job. 

CORPORATE 
PRACTITIONER: 

HARRIET 
PEARSON 

Harriet  Pearson  was  one  of  the 
first  chief  privacy  officers  in  the 
Fortune  500  and  is  an  interna¬ 
tionally  recognized  corporate 
privacy  and  data  security  pioneer. 

She  was  previously  VP  security 
counsel  and  chief  privacy  officer  at  IBM,  and 
last  year  she  became  a  partner  in  the  global 
law  firm  Hogan  Lovells,  where  her  practice  fo¬ 
cuses  on  privacy  and  cybersecurity. 


June  2103  www.csoonline.com  23 


■  Lead 


6  Tips  for  Keeping  Your  Pen-Testing 
Tactics  on  the  Right  Side  of  the  Law 


SOCIAL  ENGINEERING  TECHNIQUES 
are  frequently  part  of  an  overall  security  pen¬ 
etration  test,  often  used  as  a  way  to  test  an 
organization’s  so-called  human  network. 

But  in  their  zeal  to  uncover  vulnerabilities 
among  employees,  some  pen  testers  may  em¬ 
ploy  strategies  that  could  be  considered  un¬ 
ethical.  And  there  are  some  social  engineering 
moves  that  you  simply  can’t  use  at  all  if  you 
want  to  stay  within  the  confines  of  the  law. 

Here  are  six  things  to  keep  in  mind  to  ensure 
your  team  is  using  the  most  ethical  and  legal 
approach  to  testing  human  security  holes. 


1.  Know  the  Local  Laws 

“In  many  states,  one-party  consent  for  record¬ 
ing  of  audio  or  video  is  illegal,”  says  Chris  Had- 
nagy,  a  veteran  pen  tester,  social  engineering 
expert  and  author  of  Social  Engineering:  The 
Art  Of  Human  Hacking.  “A  pen  tester  that  does 
this  without  the  proper  contract  in  place  can 
be  breaking  these  laws.” 

Other  illegal  tactics  that  some  pen  testers 
might  be  tempted  to  try  include  threatening 
to  harm  someone,  impersonating  a  member 
of  law  enforcement,  or  obtaining  federal 
documents,  social  security  numbers  or  other 


private  information  from  unsuspecting  tar¬ 
gets.  In  order  to  legally  impersonate  someone 
within  the  organization  you  are  pen  testing, 
you  must  first  get  the  person’s  consent,  says 
Ed  Skoudis,  SANS  Instructor  and  director  of 
NetWars  CyberCity. 

“We  find  that  it  is  better  to  impersonate  a 
fictional  employee  rather  than  an  actual  one, 
as  that  lowers  the  chance  of  tarnishing  some¬ 
one’s  reputation,”  he  says. 

Laws  can  vary  from  state  to  state  and  from 
country  to  country,  so  double-check  your  plan 
against  local  laws  before  proceeding. 


24  www.csoonline.com  JUNE  2103 


Thinkstock 


"A  good  friend  of  mine,  who  is  a 
social  engineering  pen  tester  in  the 
UK,  tells  me  that  in  the  UK  you  can 
open  a  drawer  during  a  pen  test  but 
you  cannot  look  through  it,”  Had- 
nagy  says.  "If  you  see  a  password 
sticky  note  on  top  in  the  drawer, 
you  can’t  use  it,  not  even  report  on 
it.  Understanding  the  laws  for  the 
area  you  are  in  can  save  you  from 
hurting  yourself  and  the  company.” 


2.  Remember: 

“First,  Do  No  Harm” 

“Ethical  concerns  are  a  front-and- 
center  problem  of  both  social 
engineering  and  physical  security 
testing,"  says  H.D.  Moore,  chief 
research  officer  with  Rapid7,  and 
the  founder  and  chief  architect  of 
the  company's  penetration  testing 
solution,  Metasploit.  “Playing  bad 
guy  can  be  as  difficult  for  the  con¬ 
sultant  as  it  is  for  the  employees  of 
the  client.” 

A  certain  amount  of  fudging  the 
truth  may  be  necessary  to  execute 
your  pen  test,  but  Moore  urgers 
pen  testers  to  abide  by  the  Hippo¬ 
cratic  oath:  “First,  do  no  harm." 

“A  lie  about  leaving  your  keys  on 
your  desk  may  be  appropriate,  but  making  up 
a  story  about  a  traumatic  accident  is  likely  to 
cause  grief  and  long-term  mistrust  when  it 
turns  out  to  be  false,”  he  says. 

Similar  guidelines  apply  to  physical  security 
testing.  “You  never  want  to  put  your  employ¬ 
ees,  the  client,  or  their  security  personnel  into 
a  situation  where  they  feel  like  they  are  in 
harm's  way.  It  is  quite  easy  for  people  to  over¬ 
react.  I  have  heard  stories  of  a  client  tackling 
a  security  tester  because  they  followed  some¬ 
one  through  a  security  door,”  Moore  says. 


3.  Emulate  Real-World  Exploits 

Social  engineering  tests  should  reflect  real- 
world  attacks  against  the  organization,  not 
over-the-top  situations  that  are  unlikely  to 
arise  in  an  ordinary  work  environment. 
“Sending  a  suspicious  email  or  making  a 


phone  call  for  a  password  reset  is  something 
that  employees  should  be  able  to  defend 
against,"  Moore  says.  “By  contrast,  rappelling 
through  a  skylight  or  bugging  someone’s  of¬ 
fice  is  not  a  normal  risk  for  most  companies, 
and  would  cross  the  line  if  attempted.” 

4.  Get  Sign-Off 
and  a  Clear  Contract 

Each  part  of  your  penetration  test  needs  to  be 
signed  off  on  by  the  organization’s  manage¬ 
ment  before  you  proceed.  You  need  a  clearly 
defined  contract  stating  what  is  and  what  is 
not  allowed.  This  protects  both  you  and  the 
organization  you’re  testing,  Hadnagy  says. 

“You  want  to  access  the  dumpsters?  Make 
sure  it  is  in  the  contract.  You  want  to  have  the 
ability  to  walk  out  of  the  building  with  a  com¬ 
puter  under  your  arm?  Get  that  in  the  con¬ 
tract.  What  if  the  computer  you  walk  out  with 
contains  personal  details  for  all  employees  or 
financial  data?” 

“The  social  engineering  process  should 
work  from  a  plan  that  has  been  approved  by 
both  the  security  manager  and  a  representa¬ 
tive  from  the  human  resources  department,” 
says  Moore. 

5.  Notify  Those  in  Charge 
Before  You  Begin 

You’ve  got  permission  to  do  what  you  need  to 
do  by  getting  it  in  writing,  but  don’t  just  set 
off  on  your  test  without  warning  the  appropri¬ 
ate  people  first  or  you  could  find  yourself  in 
an  awkward  situation.  In  this  tale  from  Moore, 
jobs  were  lost  because  proper  notification 
was  not  given  in  advance  of  the  test. 

“In  a  late-night  physical  penetration  test 
of  a  bank  branch,  a  consultant  triggered  the 
building  alarm  and  was  waiting  for  the  police 
to  show  up.  Fortunately,  the  cleaning  crew 
arrived  in  the  nick  of  time  and  helped  dis¬ 
able  the  alarm  and  let  them  into  the  secured 
area.  The  police  still  showed  up  and  there 
was  an  awkward  conversation  that  resulted 
in  the  president  of  the  bank  being  called.  The 
consultant  was  cleared,  but  the  cleaning  crew 
was  fired  on  the  spot  by  the  bank  president. 

"By  the  time  the  situation  was  resolved 
the  next  morning,  the  damage  had  already 


been  done.  In  this  case,  the  president  should 
have  been  made  aware  that  a  test  was  taking 
place  that  evening.” 

6.  Attack  in  Phases  to  Avoid 
Overstepping  Boundaries 

As  Skoudis  explains  here,  a  spear  phishing 
pen  test  should  be  separated  into  two  phases 
to  avoid  the  possibility  of  accidentally  at¬ 
tacking  an  unintended  target  outside  the 
organization: 

“The  first  part  is  sending  the  email  itself, 
trying  to  get  a  click  on  a  link  or  the  opening  of 
an  attachment.  We  recommend  that  penetra¬ 
tion  testers  compose  their  email  with  links  or 
attachments  but  do  not  try  to  exploit  the  tar¬ 
get  via  that  email.  Instead,  the  pen  tester  sets 
up  a  website  so  he  or  she  can  merely  count 
the  number  of  clicked  links  or  open  attach¬ 
ments  that  he  or  she  gets  from  the  email,  as 
well  as  the  source  machine  of  the  clicks. 

“Then,  as  a  separate  phase  of  the  project, 
the  pen  tester  works  with  a  collaborator  on 
the  inside,  using  a  typically  configured  laptop 
or  desktop  computer,  to  try  the  exploit  itself, 
perhaps  gaining  access  and  then  pivoting 
through  the  target  infrastructure. 

“So  the  tester  would  agree  with  an  inside 
collaborator  that  on  a  given  date  and  time, 
the  pen  tester  will  provide  a  series  of  URLs 
or  attachments  for  the  collaborator  to 
explicitly  click  on  and  open.  There  is  no  trick¬ 
ery  involved  in  this  phase.  But  we  can  then 
infer  from  what  we  are  able  to  exploit  on  that 
typical  client  machine  the  impact  we  would 
have  likely  gotten  from  any  of  the  clicks  in 
phase  one. 

“You  see,  we’ve  separated  the  phishing 
email  (where  all  that  really  matters  is  wheth¬ 
er  you  get  a  click  or  not)  from  the  exploitation 
step.  This  is  a  whole  lot  safer.  If  you  bundle 
the  two  together  and  exploit  a  machine  that 
received  the  email,  you  may  end  up  attacking 
someone  outside  of  scope.  An  email  recipient 
may  forward  your  email  to  someone  inside 
the  company  (or  even  outside  the  company). 
If  you  attack  that  person,  you’ve  exceeded 
your  scope  and  can  get  in  big  trouble.  That’s 
why  we  separate  the  two  aspects.” 

-Joan  Goodchild 


JUNE  2103  www.csoonline.com  25 


1  ■■  d  ■■■■[ 

,  ■  ■  '  l'; 


I 


hi,.,  d  '  ■ 


' 


■liM  ■ 


.< -•  , 

. . 

I.  -> 


.. 


The  secrecy  around  distributed  denial-of-service 
attacks  is  a  problem  when  you’re  desperate  for 
guidance.  But  the  answers  are  there,  if  you  know 
where  to  look. 


V*. ' 

26  www.csoonline.com  June  2103 


Cover  Story 


O  AHEAD  AND  ASK  CSOS  FROM 
the  nation’s  largest  banks  about  the 
myriad  distributed  denial-of-service 
(DDoS)  attacks  they’ve  experienced 
in  recent  months.  They’re  not  going  to 
tell  you  anything. 

Security  execs  have  never  been  com¬ 
fortable  talking  about  these  attacks 
because  they  don’t  want  to  draw  more 
attention  to  their  companies.  They 
worry  that  offering  even  the  basic  details  of  their  de¬ 
fensive  strategy  will  inspire  attackers  to  find  the  holes. 

But  many  companies  are  finding  themselves  under 
attack  for  the  first  time,  and  their  security  chiefs  need 
answers  if  they’re  going  to  fight  back.  So  despite  know¬ 
ing  CSOs  are  reluctant  to  talk,  we  tried  to  get  answers 
anyway.  We  offered  several  CSOs  anonymity  to  tell 
their  stories,  a  tactic  that  always  worked  before. 

Not  this  time. 

DDoS  attacks  have  become  more  ferocious  than 
ever  the  past  few  years,  fueled  by  hacktivists  who  un¬ 
derstand  that  every  minute  of  downtime  for  a  financial 
services  site  equals  millions  of  dollars  in  lost  business. 
Attacks  hitting  the  likes  of  Bank  of  America,  Capital 
One,  Chase,  Citibank,  PNC  Bank  and  Wells  Fargo  have 
been  so  relentless  and  sophisticated  that  most  security 
execs  are  too  freaked  out  to  discuss  details. 

“These  DDoS  attacks  are  a  very  sensitive  issue  now 


and  not  something  we  can  talk  about  publicly,”  says 
the  CISO  at  a  midsize  bank  that  operates  out  of  the 
Pacific  Northwest. 

“Our  communications  department  has  asked  that 
we  don’t  discuss  this  with  the  media  right  now,  out  of 
concern  that  we  may  draw  attention  to  ourselves  and 
become  a  target,”  says  a  security  officer  at  another  fi¬ 
nancial  services  firm  in  the  southeastern  U.S. 

Tight  Lips  Sink  Company  Defenses 

While  there ’s  plenty  of  truth  behind  the  old  World  War  II 
propaganda  posters  that  say,  “Loose  lips  sink  ships,” 
the  saying  “Knowledge  is  power”  also  holds  true,  es¬ 
pecially  when  it  comes  to  defending  modern  business- 
technology  systems. 

There’s  no  doubt  that  tight  lips  can  be  a  problem 
if  you’re  the  newly- minted  CISO  of  a  bank  and  find 
yourself  under  attack.  You  need  good  information  on 
the  most  recent  attacks  and  defense  trends. 

Some  contend  that  the  adversarial  relationship  be¬ 
tween  regulators,  the  public  and  financial  institutions 
regarding  cybersecurity  incidents  is  at  least  partially 
to  blame  for  organizations  playing  their  cards  so  close 
to  the  vest. 

“The  best  way  to  drive  this  kind  of  cooperation  and 
information  sharing  is  to  make  sure  that  there  are 
no  repercussions  to  the  institutions  for  sharing  both 
successes  and  failures.  If  an  institution  shares  attack 
information  that  was  successful  and  then  the 
regulators  come  down  on  them  for  that ,  they’re 
not  going  to  want  to  cooperate  in  the  future,” 
says  Chip  Tsantes,  principal  of  information 
security  advisory  services  at  Ernst  and  Young. 

When  it  comes  to  these  recent  waves  of 
DDoS  attacks,  being  able  to  detect  the  tech¬ 
niques  employed  in  the  attack  and  speedily 
respond  to  threats  means  the  difference  be¬ 
tween  keeping  services  running  and  having 
them  shut  down. 

“These  recent  DDoS  attacks  are  evolving  so 
very  rapidly,  every  time  a  new  attack  arrives 
they’re  switching  to  a  different  strategy,”  says 
Lynn  Price,  IBM  security  strategist  for  the  fi¬ 
nancial  sector.  In  essence,  the  attackers’  strat¬ 
egy  is  to  increase  their  capacity,  use  advanced 
infrastructure  and  application  targeting  tools, 
and  automate  attacks.  “They’re  getting  much 
more  sophisticated  in  their  capability  and  what 
aspects  of  the  IT  stack  they’re  hitting,”  she  says. 

In  this  environment,  silence  among  the  good 
guys  is  an  extreme  liability.  So  despite  CSOs’ 


2013:  DDoS  Attacks  Intensify 

The  average  size  of  DDoS  attacks  continues  to  increase 

The  average  increase  in  DDoS  attack  size 
remains  at  20%  year  over  year 

Attacks  in  the  2-10GB  per  second  range 
increased  from  15%  to  21.5% 

In  the  first  quarter  of  2013,  Arbor  Networks 
tracked  three-fourths  as  many  attacks  over 
10GB  per  second  as  it  saw  in  all  of  2012 

While  attacks  of  less  than  1GB  per  second  accounted 
for  the  vast  majority  of  attacks  four  years  ago, 
today  they  combine  for  less  than  63% 

SOURCE:  Arbor  Networks 


28  www.csoonline.com  June  2103 


extreme  reluctance  to  talk  about  this  issue,  we  man¬ 
aged  to  get  some  information  through  background 
discussions  and  interviews  with  security  specialists 
who  help  companies  combat  DDoS  attacks.  Using  that 
insight,  we’ve  assembled  some  action  items  for  com¬ 
panies  that  aren’t  used  to  facing  down  DDoS  attacks. 

Be  Ready  for  Real-Time  Defense  Adjustments 

“Not  only  were  these  attacks  multi-vector,  but  the  tac¬ 
tics  changed  in  real  time,”  says  Gary  Sockrider,  solu¬ 
tions  architect  for  the  Americas  at  Arbor  Networks. 
The  attackers  would  watch  how  sites  responded,  and 
when  the  site  came  back  online,  the  hackers  would 
adjust  with  new  attack  methods. 

“They  are  resolute  and  they  will  hit  you  on  some  dif¬ 
ferent  port,  protocol,  or  from  a  new  source.  Always 
changing  tactics,”  he  says.  “Enterprises  have  to  be 
ready  to  be  as  quick  and  flexible  as  their  adversaries.” 

Don’t  Rely  Only  on  Perimeter  Defenses 

Everyone  v/e  interviewed  named  cases  in  which  tradi¬ 
tional  on-premise  security  devices — firewalls,  intru¬ 
sion-prevention  systems,  load  balancers — were  unable 
to  block  the  attacks.  “We  watched  those  devices  failing. 
The  lesson  there  is  really  simple:  You  have  to  have  the 
ability  to  mitigate  the  DDoS  attacks  before  it  gets  to 
those  devices.  They’re  vulnerable.  They’re  just  as  vul¬ 
nerable  as  the  servers  you  are  trying  to  protect,”  says 
Sockrider.  Part  of  the  mitigation  effort  is  going  to  have 
to  rely  on  upstream  network  providers  or  managed 
security  service  providers  that  can  interrupt  attacks 
away  from  the  network  perimeter. 

It’s  especially  important  to  mitigate  attacks  further 
upstream  when  you’re  facing  high-volume  attacks.  “If 
your  Internet  connection  is  10GB  and  you  receive  a 
lOOGB  attack,  trying  to  fight  that  at  the  lOGB  mark  is 
hopeless.  You’ve  already  been  slaughtered  upstream,” 
says  Sockrider. 

Fight  Application-Layer  Attacks  In-Line 

Attacks  on  specific  applications  are  generally  stealthy, 
much  lower  volume  and  more  targeted.  “They’re  de¬ 
signed  to  fly  under  the  radar.  So  you  need  the  protec¬ 
tion  on-premise  or  in  the  data  center  so  that  you  can 
perform  deep-packet  inspection  and  see  everything  at 
the  application  layer.  This  is  the  best  way  to  mitigate 
these  kinds  of  attacks,”  says  Sockrider. 

Collaborate 

The  banking  industry  is  collaborating  a  little  when 
it  comes  to  these  attacks.  Everything  they  reveal  is 


carefully  protected  and  shared  strictly  amongst  them¬ 
selves,  but  in  alimited  way,  banks  are  doing  abetter  job 
at  collaborating  than  most  industries. 

“They’re  working  among  each  other  and  with  their 
telecommunication  providers .  And  they’re  working  di¬ 
rectly  with  their  service  providers.  They  have  to.  They 
can’t  just  work  and  succeed  in  isolation,”  says  Price. 

They’re  also  turning  to  the  Financial  Services  In¬ 
formation  Sharing  and  Analysis  Center  for  support 
and  to  share  information  about  threats.  “In  some  of 
these  information-sharing  meetings,  the  [big]  banks 
are  very  open  when  it  comes  to  talking  about  the  types 
of  attacks  underway  and  the  solutions  they  put  into 
place  that  proved  effective.  In  that  way,  the  large  banks 
have  at  least  been  talking  with  each  other,”  says  Rich 
Bolstridge,  chief  strategist  of  financial  services  at  Aka¬ 
mai  Technologies. 

The  financial  sector’s  strategy  is  one  that  could  and 
should  be  adopted  elsewhere,  regardless  of  industry. 

“Not  only  were  these 
attacks  multi-vector, 
but  the  tactics 
changed  in  real  time.” 

-GARY  SOCKRIDER,  ARBOR  NETWORKS 

Have  Your  Playbook  Ready 

Organizations  must  try  to  anticipate  the  applications 
and  network  services  adversaries  will  target  and  draft 
an  emergency  response  plan  to  mitigate  those  attacks. 
“Enterprises  are  paying  more  attention  to  these  attacks 
and  planning  how  they’ll  respond.  And  they’re  getting 
better  at  assembling  their  own  internal  attack  informa¬ 
tion  as  well  as  the  information  their  vendors  are  pro¬ 
viding  them  to  help  fight  these  attacks,”  says  Tsantes. 

IBM’s  Price  agrees.  “Organizations  are  getting  bet¬ 
ter  at  response.  They’re  integrating  their  internal  ap¬ 
plications  and  networking  teams,  and  they  know  when 
the  attack  response  needs  to  be  escalated  so  that  they 
aren’t  caught  off  guard.  So  as  attackers  are  becoming 
much  more  sophisticated,  so  are  the  financial  institu¬ 
tions,”  she  says. 


June  2103  www.csoonline.com 


29 


IN  SEPTEMBER,  HACKTIVISTS 
began  targeting  U.S.  banks  with  distributed 
denial-of-service  (DDoS)  attacks.  Known  as 
Operation  Ababil,  the  attacks  are  claimed 
to  be  retribution  for  the  online  video  “In¬ 
nocence  of  Muslims.”  The  hacktivists  esti¬ 
mate  the  cost  of  their  attacks  to  be  around 
$30,000  per  minute.  They  claim  that 
they’ll  stop  when  the  video  is  completely 
removed  from  YouTube. 

The  onslaught  has  ramped  up  in  2013.  A 
number  of  banks  confirmed  in  mid-March 
that  their  sites  were  under  attack,  with 
many  banking  customers  reporting  diffi¬ 
culty  accessing  certain  websites  or  trouble 
logging  in  to  their  accounts.  A  week  later, 
a  hacktivist  group  called  the  al-Qassam 
Cyber  Fighters  claimed  responsibility  for 
the  disruption  in  a  post  on  Pastebin.com. 

.  In  early  April,  Internet  performance  com¬ 
pany  Keynote  Systems  told  NBC  that  15 
large  U.S.  banks  were  knocked  offline  for  a 
combined  249  hours  over  six  weeks. 

Ttiere  has  been  considerable  debate 


30  www.csoonline.com  June  2103 


Cover  Story 


Now  that  many  larger  financial  institutions  have 
hardened  their  DDoS  defenses,  observers  are 
concerned  that  attackers  will  broaden  their  nets  to 
include  smaller  banks,  credit  unions  and  even  other 
industries. 

“The  one  good  thing  about  these  rounds  of  attacks 
is  that  they’ve  caught  the  attention  of  management  at 
regional  banks,  and  they’re  asking  about  what  needs 
to  be  done  so  that  the  organization  is  best  prepared,” 
says  the  IT  security  officer  at  a  regional  bank  in  the 
mid-Atlantic, 

“Many  smaller  banks  are  gearing  up  as  a  result  of 
watching  the  larger  institutions  being  attacked.  They 
see  that  they  too  can  be  victims,  and  they’re  choosing 
to  be  proactive,”  says  Bolstridge. 

For  most,  explains  Price,  that  means  increased 
reliance  on  service  providers  and  managed  security 
services  providers.  “They’re  having  their  systems  as¬ 
sessed  for  resiliency,  and  they’re  making  sure  that  their 


service  providers  are  prepared  for  potential  attacks 
and  that  they  also  have  adequate  protection  in  place,” 
she  says. 

Watch  Out  for  Secondary  Attacks 

As  costly  as  these  attacks  can  be,  they  may  sometimes 
be  little  more  than  a  distraction  to  provide  cover  for  an 
even  more  nefarious  attack. 

“DDoS  can  be  a  diversion  tactic  for  more  serious  at¬ 
tacks  coming  in  from  another  direction.  Banks  need  to 
be  aware  that  they  have  to  not  only  be  monitoring  for 
and  defending  the  DDoS  attack,  but  they  also  have  to 
have  an  eye  on  the  notion  that  the  DDoS  may  only  be 
one  aspect  of  a  multifaceted  attack,  perhaps  to  steal 
account  or  other  sensitive  information,”  Price  says. 

Be  Worried,  Even  If  You’re  Not  a  Bank 

Although  recent  attacks  have  been  concentrated  on 
financial  institutions,  experts  are  concerned  about  in- 


Attacks  Get  More  Devastating  as  Hacktivists  Escalate 


attacks,  most  experts  agree.  Their  posts 
have  been  precise  and  have  often  accurate¬ 
ly  foreshadowed  attacks  to  come. 

The  periodic  attacks  slowed  in  Decem¬ 
ber.  During  this  time,  many  believed  the 
attackers  were  taking  time  to  improve  their 
tools  and  adjust  their  strategy.  “We  did  see 
modifications  to  the  attack  tools,  and  there 
were  some  custom  tools  that  appeared  to 


l  H 


Still  from  the  online 


■m&m 


video  “Innocence 


of  Muslims.” 


over  the  true  identity  of  the  attackers. 
Some  think  they  could  be  sponsored  by  a 
country  such  as  China,  or  that  they  could 
be  Iranian  attackers  seeking  revenge  for 
financial  sanctions.  Others  contend  the  at¬ 
tacks  could  have  a  yet-to-be-determined 
cybercrime  element  to  them.  Whoever  is 
behind  the  al-Qassam  Cyber  Fighters  posts 
on  Pastebin.com  is  likely  responsible  for  the 


“Organizations  are  getting  better  at  response... 
as  attackers  are  becoming  much  more 
sophisticated,  so  are  the  financial  institutions.” 

-LYNN  PRICE,  IBM  SECURITY  STRATEGIST 


dustry  crossover.  “We  don’t  want  to  see  this  level  of 
attacks  cross  over  into  healthcare  and  other  industry 
segments.  They’re  not  as  well  equipped  because  they 
don’t  necessarily  consider  themselves  a  target,”  says 
Bolstridge.  “It’d  be  some  good  news  if  others  looked 
at  this  as  a  wake-up  call  and  took  a  good  assessment 
of  their  risk.” 

Sharing  information  is  an  essential  part  of  that. 


“The  attackers  certainly  share  their  information  with 
each  other.  And  really,  only  the  first  attacker  has  to  be 
smart .  Beyond  that  it’s  just  implementing  software  for 
everyone,”  he  says. 

The  good  guys  should  take  a  page  from  that  playbook. 


■  George  V.  Hulme  is  a  freelance  writer  based  in  Minnesota. 
Follow  him  on  Twitter:  @georgevhulme. 


be  created  specifically  for  these  attacks. 
The  al-Qassam  Cyber  Fighters  claim  the 
pause  was  related  to  a  religious  holiday,  but 
it  is  just  as  likely  that  it  was  a  pause  so  they 
could  update  their  ways,”  says  Gary  Sock- 
rider,  solutions  architect  for  the  Americas 
at  Arbor  Networks. 

When  they  resumed  after  a  few  weeks, 
the  attacks  were  broad,  deep  and  devas¬ 
tating.  Rich  Bolstridge,  chief  strategist  of 
financial  services  at  Akamai  Technologies, 
reports  that  one  attack  in  January  was 
distributed  across  100  countries.  He  says 
botnet-infected  systems  were  identified 
not  only  in  countries  where  they’d  be  ex¬ 
pected,  such  as  China  and  Russia,  but  also 
in  the  U.S.  “While  the  industry  likes  to  point 
to  certain  countries  as  always  being  the  ori¬ 
gins  of  attack,  it’s  certainly  not  so  when  it 
comes  to  the  botnets  used  to  launch  these 
attacks.  The  attack  servers  are  from  all 
over,  including  Dallas,  Chicago,  Los  Angeles 
and  other  cities,”  he  says.  In  fact,  because 
the  systems  are  so  well  connected,  the  at¬ 


tackers  prefer  to  launch  their  attacks  from 
systems  in  the  U.S. 

In  the  beginning  phases  of  the  attacks, 
the  al-Qassam  Cyber  Fighters  used  well- 
known  DDoS  weaponry.  However,  over  time 
they  have  increased  their  punch,  using  a 
combination  of  network  and  Web  applica¬ 
tion-layer  attacks.  Additionally,  instead  of 
hitting  the  systems  of  one  bank  at  a  time, 
the  attackers  started  hitting  several  banks 
at  once.  They  also  focused  increasingly  on 
encrypted  rather  than  unencrypted  traffic. 

These  changes  in  attack  techniques 
caught  many  banks  and  network  service 
providers  off-guard  as  they  tried  various 
countermeasures.  “None  of  the  attack 
techniques  were  especially  new  or  complex 
by  themselves.  Application-layer  attacks 
are  not  new.  Neither  are  volumetric  attacks. 
However,  combining  the  two  while  ramping 
up  the  number  of  banks  hit  concurrently  is," 
says  Sockrider. 

According  to  Sockrider,  the  targeting  of 
many  banks  at  the  same  time  has  strained 


the  resources  of  financial  services  telecom¬ 
munications  and  network  services  provid¬ 
ers.  “They  had  challenges  with  the  volume 
of  traffic  generated.  They  would  also  see 
different  attack  profiles  and  character¬ 
istics  for  each  attack,  therefore  none  of 
these  bank  attacks  look  sustained.  They  all 
looked  unique.  By  the  later  stages  of  these 
attacks  they  were  putting  a  serious  strain 
on  the  carriers  and  those  upstream  defend¬ 
ing  against  all  of  this  traffic.” 

Not  all  the  attacks  were  successful.  “Very 
often  we  see  that  when  an  attack  comes 
on,  and  when  defenses  are  already  in  place, 
the  attackers  will  leave  within  15  minutes. 
They’ll  just  move  on  to  the  next,  softer  tar¬ 
get,”  he  says.  But  those  softer  targets  fared 
much  worse,  says  Bolstridge.  “We  watched 
two  banks  suffer  six  to  nine  hours  of  down¬ 
time."  One  bank  was  knocked  completely 
offline.  The  other  had  major  performance 
availability  problems  for  the  rest  of  the 
day.  “Once  the  attackers  find  a  soft  target', 
they’ll  keep  that  target  on  their  list." 


June  2103  www.csoonline.com  31 


Ten  Tweets  Brian  Monan 

@BrianHonan 

The  infosec  consultant,  blogger,  author  and  founder  and 
head  of  Ireland’s  Computer  Security  Incident  Response  Team 
(CSIRT)  responds  to  10  questions  in  140  characters  or  less. 


CSO:  Greetings,  Brian!  Let’s  start  with  hearing  about  your 
background.  How  did  you  get  into  security? 

@BrianHonan:  I  worked  for  a  financial  org  in  the  ’80s  who 
were  introducing  PCs  to  the  biz.  My  role  was  supporting 
them,  which  included  security. 


Tell  us  a  bit  more  your  career  path  over  the  years. 

I  moved  from  internal  support  into  a  consulting  role,  then 
management  responsible  for  24/7  service,  and  then 
started  my  own  firm  in  2004. 


You’re  also  founder  and  head  of  Ireland’s  CSIRT.  How  has  that 
effort  affected  security  and  the  industry  in  your  country? 

I  hope  it  has  raised  awareness  of  threats  facing  Ireland, 
how  to  deal  with  them,  and  how  orgs  should  better 
manage  their  responses. 


Wha  t 's  your  security  philosophy? 

It’s  “Security  should  support  and  enable  the  business.”  So 
we  need  to  engage  on  all  aspects— risk,  tech,  people,  policy 
and  procedures. 


Interesting.  What  do  you  consider  the  biggest  challenge  in  your 
career  in  carrying  out  that  philosophy? 

Getting  security  people  to  realize  it’s  not  just  about  the 
tech  and  learn  to  live  with  the  fact  that  there  is  no  such 
thing  as  100  percent  security. 


What’s  the  best  career  or  security  advice  you  ever  received? 

“Keep  your  CV  up-to-date— you’re  a  breach  away  from  a 
new  job!”  Seriously  though,  “Engage  and  share  with  your 
peers  and  the  business.” 


Ha!  OK,  what  trends  would  you  point  to  as  the  major  catalysts 
for  change  in  security  over  the  last  decade? 

The  decentralization  of  our  data  to  PCs,  remote  access, 
mobile  devices,  and  now  cloud  services.  BYOD  is  an 
extension  of  that  trend. 


Fill  in  the  blank:  If /didn’t  work  in  security  I  would _ 

Have  a  lot  less  stress  in  my  work.  But  it  may  not  be  as 
interesting  and  challenging  as  it  is. 


Right.  Never  a  dull  moment  in  security.  So,  who  or  what 
inspires  you? 

Those  working  to  improve  the  industry  and  how  we  protect 
ourselves.  Many  go  unnoticed,  as  they  do  it  simply  to  make 
things  better. 


Speaking  of  others  in  the  industry,  I'm  passing  the  buck  now: 
Who  should  CSO  tweet  with  next? 

I  think  @rik_ferguson  would  be  a  great  guest  and  would 
have  some  interesting  stories  to  share. 


32  www.csoonline.com  JUNE  2103 


THE  EMPLOYEE  SECURITY  AWARENESS  NEWSLETTER  FROM  THE  EDITORS  AT  CSO 


Security  Smart  is  a  quarterly  security  awareness  newsletter  ready 
for  distribution  to  your  employees — saving  you  precious  time  on 
employee  education!  The  compelling  content  combines  personal 
and  organization  safety  tips  so  is  applicable  to  many  facets 
of  employees'  lives.  And  the  easy  to  read  design  has  multiple 
entry  points  so  you  are  assured  that  your  intended  audience  of 
employees — your  organization's  most  valuable  assets — will  read 
and  retain  the  information. 


LsTc 


<JRi 


ry 


S/Wg 

IP3te*naJ[yng:l 


3y°u*s 


Subscribe  today! 


°PRl^CyA 

I  1 

**•*>*& 


TV*/ 


‘alert" 


To  view  a  sample  issue  of  the  newsletter,  learn  about  the 
delivery  options  and  to  subscribe  visit: 

www.SecuritySmartNewsletter.com 


yirig  •>  ^ 

/  ;Cn'ynZKl^,yeQ‘-°^ 

itsssy-s?' 


O  Ay-  i 
Hi 


V0/Wf 


?a*9ero0st 


'zy°Zc  zZZSiz***' 

S'"  §S=55Sr  S5% 


‘Snajjf  '‘Jrkini.  >r-any 

"c"W/yv  *ar*ntai  1  ■  *  |  *  ii, 

*'£s* 

■  *<££> 


For  more  information  please  visit 

www.SecuritySmart.com 

Security  Smart  is  published  by  CSO,  a  business  unit  of  CXO  Media.  ©  2012  CXO  Media  Inc. 


BUSINESS  RISK  LEADERSHIP 


AUTHENTICATE  PHYSICAL  IDENTITIES, 
AUTOMATE  PHYSICAL  ACCESS, 

ACHIEVE  AUDIT  &  COMPLIANCE  24/7 

The  SAFE  Software  Suite  centralizes  your  disparate  physical  access  platforms  into  a  policy-based 
system  that  automates  physical  identity  and  access  management.  SAFE  ensures  that  the  right  physical 
identity  has  the  right  access  -  for  the  right  reasons  -  at  the  right  time.  With  instant  verification  of  who  is 
where,  why  they  are  in  that  location,  and  who  authorized  their  physical  access.  All  managed  automatically 
to  achieve  full  auditability  and  compliance  to  various  regulations.  SAFE’S  ability  to  automate  these 
processes  drives  down  operational  costs.  It’s  the  most  efficient  way  to  manage  employees,  contractors, 
visitors  and  their  access  lifecycle  in  your  organization.  Make  your  world  SAFE  with  Quantum  Secure. 


QUANTUMSECURE.COM  •  INFO@QUANTUMSECURE.COM  •  1.408.687.4587 


